11241100x80000000000000007542249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:01.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:01.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C0FC60BF41689EDDFD4294DDE9F7CF,SHA256=86B891C6B1FDBF1DB369DF1329FC4126E09E3FC7DBCC7E0485B2B10F9B355BD3falsetrue 23542300x80000000000000002130946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:01.060{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8496B8821E7BA72FC0BD05DA64F146B3,SHA256=5FE375EDAA754532C6E98B5CA33BBED52ED2F9B18E5F569ED671CF45BD77BFF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:02.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:02.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DB9EF65DB085619A412CFFEACF4D2E,SHA256=2E957BC8A99A59E00590F9096E8E37D402F1951A8382DFECD888C41825400CC3falsetrue 23542300x80000000000000002130947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:02.062{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26E52BFA65D747A5BF73EDE05762BBE,SHA256=E8EB8FF3559644D358884861308FBA0006CE3DC6D7B83F9C2CC7FF32F12D3ACD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98B382C37AEC220EF53A3064DE8BD46,SHA256=60F94ADE8D5ADCA7C849A3105B964643DE56DB4AF87E828B819D7594248C70BBfalsetrue 23542300x80000000000000002130948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:03.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26147D405398DC4FEBEFA02EE85D5353,SHA256=62D3A650969FEC68DA787B1D384CE1768E13DD779A23FC725D7C46688B5C10C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:03.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64BC7EA3B82907393C5E578ED8B3F925,SHA256=ECCC64955A2C60E070C8ED5638D3356111C84C816EFC2AB1270904E2C087A535falsetrue 11241100x80000000000000007542263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0BF29BBD8C2D1E4E433BC3A5FB289A,SHA256=11C9BF00B86F76AA4EEAEE10349D4AA73AEE24E014F69252AE128575BF489D10falsetrue 354300x80000000000000002130952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:05:55.971{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002130951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70BEEE01443CA146B93B9B90BAC48CE,SHA256=C781C675E8082C0EBF071DF8CA9A6A24C3283F7DB88AA12225140042EE59739B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF5A5512B918DEE6EAFD39AAA15008D7,SHA256=AC6E73826EC93D51FAC1B99247DB96C68E85475FF419D8A514D1403C79583902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.065{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8732CA7C3C4F90843B4D43E6D89B67E8,SHA256=B6ECECEE1FE70ABF8217F5B5830E1ADAD2864A8FD0B1DE24CB3B08284E27AEE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22C36D140DF5976A9D3D005E11C7AE79,SHA256=458E38DEA368E9311F46BE87874E2E5D1426EB7EE3ECC154398AAC84E782C95Dfalsetrue 11241100x80000000000000007542259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2EB992E0427C8B7CE99A7D96DA59816,SHA256=D1930F469548B6D7DEC7FB813441C81BC14A3BC9773B0B787D9FD7A46089C302falsetrue 11241100x80000000000000007542257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.003{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32155D75D3E8C4A643B9C84C915A8D72,SHA256=AA3E417A7E314CB357A2A53FCDC2CBA3F13C3C9B5007892B6D8B8824BA918487falsetrue 354300x80000000000000007542268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:47.024{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56723-false10.0.1.12-8000- 11241100x80000000000000007542267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48DDB831B0E0C9667372D7C9B74A21C,SHA256=07492E5D6E4BEFEA155A58BE0661752A0F1E61B861763B1241E28FA8E38990DDfalsetrue 23542300x80000000000000002130953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:05.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CCCA8073B0ADCBBAADF2F94F36F9E4,SHA256=7B3C6E5F29D6F4C31169010E16DB87883FDC80B43197DB25291B75D7A857253E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:05.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1760B095C38307B228318F9E7CF255,SHA256=917ADCCAC2D86457CF6CAC971499F6341B877F5068A8D100EC12EA06EA08B874falsetrue 11241100x80000000000000007542270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:06.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:06.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEB1D07BEA17348D2B5E78596B10660,SHA256=76A3C7530CAD48BE09FBD16709AAA50AE035566D3E93B65DA342A22CB6926738falsetrue 23542300x80000000000000002130954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:06.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E86B6093D060965E5DCFB764138529,SHA256=585AFC054062D1535FE65E014D2371428BC47E68DA68F58827E9F46B7997978C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:07.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:07.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24CC69F7B352AD8425D02D5A80818FB,SHA256=CB87B7F44FBD94180F10C8803BFDB7EF8227475659DA5169A6D29FA9F2613B79falsetrue 10341000x80000000000000002130968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.917{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.902{AEE49BD1-907F-613B-871B-01000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4AFE0B67BFAC33CBC2447658C23850,SHA256=CCABA82396F48F4A2BBAF6493A235568E2A5103825BD39C9FA4246BD160F21A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553027DD8A36E777A9F2E0048116CCAC,SHA256=B52D8880F6805D72A6ECA9E6DC0FD21BEFCDD4E782B1F5135FBD057C3B1B0845falsetrue 11241100x80000000000000007542276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09E00B0E4274A117946AE2969606F8,SHA256=3FECC8A837EB5D1F761C553FB234FF92038EB7B1B0790EB18AE69D8E57C85E3Ffalsetrue 10341000x80000000000000002130985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.733{AEE49BD1-9080-613B-881B-01000000F101}45561184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.602{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.587{AEE49BD1-9080-613B-881B-01000000F101}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.172{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9914MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.101{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935426EB7B753725FBA8FB2E3A86DF95,SHA256=EF831B9FD2EFBC184E0E2F89BD7CA45CCA87094B8FE7FC9C9A0EEBAE7F684FD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2835B92CFADDB35EF46D2848F602A461,SHA256=3413050027086FB9A3B3D9097939D977418AF83FCCB782569443DCC830713439falsetrue 10341000x80000000000000002130969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:08.036{AEE49BD1-907F-613B-871B-01000000F101}27603080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007542284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D678F6055C9488C3D873FC4F4ACC8A,SHA256=B60DDA37C1AE5E232C3FE5DFA0C223BC1A8778658F8EE5A60083495606CA320Afalsetrue 10341000x80000000000000002131002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.354{AEE49BD1-9081-613B-891B-01000000F101}3464344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002130990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.235{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002130989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.221{AEE49BD1-9081-613B-891B-01000000F101}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002130988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.171{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9915MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70BEEE01443CA146B93B9B90BAC48CE,SHA256=C781C675E8082C0EBF071DF8CA9A6A24C3283F7DB88AA12225140042EE59739B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002130986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:09.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BA4555A376971112799B054EAABEC7,SHA256=E135AC43467CA0B67D3D1E9EDE2194E2DE8499E9D69AD366AC07E52174C17639,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2CBF0E2F9C8EA605D02F5CB3A9883F5C,SHA256=953BEFC5AEB36539D362DF2FEA2F55BF75232A97EA18D0851D1B731C6716AE17falsetrue 11241100x80000000000000007542280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=841E3A6DDF3EE330083F44447AF8709C,SHA256=590AC35AA07E79749EF8A9D6025D74E2E1F667BEDDCC8E1253920A319575560Afalsetrue 11241100x80000000000000007542278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000007542286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:10.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:10.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C400519E56F3C6EA3D568ABDFB038C91,SHA256=AA526123449CB74454E15A69F143BC35D5F57EFE00C80D8FC26C9A74B6126769falsetrue 354300x80000000000000002131005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:01.980{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62329-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:10.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27FA57C3142E0C126D7BF7BA9CC7EA2E,SHA256=82469B0B4B6A62E86B4BDE983DE76F9624C1B3ED930A51851860FE95C6E6DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:10.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819630A199DBACCCB8F9D8BFC9658A90,SHA256=3337403EF812D89C93DBCE8FADCBB5801D5D0EF3C00F7917A2F9FA251048C0AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01CAFDAB13230D18141D0A1E2ECD8F6,SHA256=780126BDECE7E914F4DFCDA2B6C66231C56F0DFC4F16E19B6572D970CF73FBABfalsetrue 23542300x80000000000000002131007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:11.573{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:11.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC158940E34B514B65545F1C2D843AF5,SHA256=D9F9661551F9B66185280065776D31929C7F678784153CCC6CF79A4CA1C2F2DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:11.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65EDF4E332F6D81CA744D74F46541DF5,SHA256=AC04B62442D1A2EDA0DAA106C8CEF54FB6A20EA4829355B7A77FEC1761668A39falsetrue 354300x80000000000000007542293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:53.039{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56724-false10.0.1.12-8000- 11241100x80000000000000007542292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:12.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:12.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEBE03B3FFCAD22F0B85F36F9687B56,SHA256=4F94C7ED749C975BEE911F3EFA0E193B12FE0C6F18473FFFDB8805103FC45125falsetrue 23542300x80000000000000002131009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:12.554{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A3AAC177CD2B1022C9B1381B2ADA80,SHA256=86E2F3A65FD28252C063702A1C085AA4014AA74FACEE7E50BA73CF20510731B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:12.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CBDC5EDFFE6822C9CF81BB7CA8F45C,SHA256=9B7F158D0099104BB74336B78CB2CE21C58C37ED19E0D7BF186C484994BE0849,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.821{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.821{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346917E15F03338F8CD5FD54A805FDB4,SHA256=6C5ADAADE6DB00181E354F31BBF1928B62BA071898029E0AD3662D1689E109B5falsetrue 354300x80000000000000002131011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:04.342{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:13.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C85AB92C6C33C575DB5C07D1211B011,SHA256=B7763A8155629E69C19C8DB58A793CE9BE6E27AEDA2DA15A4E5A2BD3A4713196,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:13.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5885738D45C1561C65E9E5B670F44FB7,SHA256=CDCE531D1A30E3B56506BC0AAFE21BC2C3E9E1CC062E5EB7B08BDEEE9B1D0D73falsetrue 11241100x80000000000000007542303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB32F8B00FD3B734398A8EA4A5ED2354,SHA256=5A4264BB820FAA82FC3887E93E49377E0BCA58822FB805D9EE63D20AC5ED2251falsetrue 23542300x80000000000000002131012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:14.122{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1168A267C89EA441A1C08C68907BE64D,SHA256=1C5AACB323A1B5EDB213A17184CCDAB531260956A864537DE62DF5E7AB0FCF6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75C749447D4FB161ACA3C8FF7202829E,SHA256=5BC28462461F6B62118DBA84183A7A499F965646716AC07462201DD4064581B2falsetrue 11241100x80000000000000007542299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:14.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C291C548F78F6E2E373FCB1B05B62057,SHA256=F0715A0B9A6230C88A3258BEAB8AA7CD814F6E4CA388938B7DA0E49002CE2B0Cfalsetrue 11241100x80000000000000007542305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:15.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:15.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AE5F5DC5A4C5BD405210A7375A1560,SHA256=6EC1282B97EB605E4F3539DA5C31E9B568C642C1A66C62AB397BDD9FAE727B93falsetrue 23542300x80000000000000002131013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:15.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B745FFE4D8E7F90EF3344CE55E43ED5E,SHA256=38E1A24D5F295E9079B61EF707DF88B8B4D89CBF5798A2B1835093638941D877,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.885{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D53816DE420E277FF6914F83194DD,SHA256=DF3126F716B7455B46F277AC55D90007966FB9B4F3D70A4417F715922245EDF0falsetrue 354300x80000000000000002131016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:07.830{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62331-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:16.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C396BC22DFFEAD629B8F6EEC1338D2,SHA256=5B454E3CA0CA1D3C2F6669A51944579F7FD091680BF31C30B58F0C9782ABA115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:16.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FF120AEDD9B73CE2D4EA87DB9F4458,SHA256=ED5B9A03D4E574802E43F63741EE30946B60864CBA254265467D48676CC90B25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC743EC8C54BEA61328357CBCC188B3,SHA256=CEB040E0C01657E1F836A738C1726CC75C2D27FBEBD509DF4AF1E07053938450falsetrue 11241100x80000000000000007542311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7DF87DDB2834815B5866CF9FE10B02,SHA256=366395BC2D6FE911BAC507A7E100185538ECE08F414A9C1882E3D944E16C7E01falsetrue 11241100x80000000000000007542309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:17.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331B8912E9D2EEB9DF994173E499C8C0,SHA256=0272CED9B38649947DC845CFEA235FA3E979D604DF7764BBF600D45F4322D949falsetrue 23542300x80000000000000002131017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:17.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145C0065B8048D3ED3B0388419CD5139,SHA256=C07EDBCFAC77740A5317FFE8CDFF5F8FF11AD4C5836F22C032CBD70ABE90CE91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC176ADAD9DD163920226D803E31A673,SHA256=8EFAF5635B21F5BFA0D198A6A91217B8B52DA79E128BAB57789050B56569151Cfalsetrue 23542300x80000000000000002131018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3654FF32818D86673217F2C00053DF67,SHA256=64FE4B01EACAE353FC535741B326CFB143361C23F220935E9A4717E50FDE988B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:18.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=08D1E9E99A6925992F39FB3DA888B992,SHA256=DD08239AE755E9DD93E80E69D1DA8191ED33C16BE871F27352D28117C1E7FE55falsetrue 354300x80000000000000007542314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:05:58.960{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56725-false10.0.1.12-8000- 11241100x80000000000000007542324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76C4A3378FECBCAA0DB2A30F3B53C05,SHA256=8E92D8D746F994A4518811CCBD9270A69E9DB49980D1F99B8F13C7C3CE9C913Dfalsetrue 11241100x80000000000000007542322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE326112D4BA4109E0817D6B97E18E7A,SHA256=043B8BA03A2E6D15B0AD1B8AA6A1C9AACA645DEAC5E227988037078251C1288Bfalsetrue 11241100x80000000000000007542320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:19.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF96C2F3BDD4E57076DD9987B800B7F1,SHA256=EAE22189273CC9B897FDE481B7090A86C4490FF4BFDA3102CBE7BAF4357D91DDfalsetrue 10341000x80000000000000002131032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.265{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.262{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.262{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.246{AEE49BD1-908B-613B-8A1B-01000000F101}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:19.130{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A3B987B0F62154F2381A7ECB2D16BE,SHA256=EB0BB804902DDAC979736591633693F54FE24929AFA21797CE91FD37E312CB54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:20.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:20.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8CD261A28BCC5108A8E296BAF4DA92,SHA256=57130A64A371CAAB1FE967D0809BAF89F5AD20E0E16A5C8FBAD22CDCFB03BF06falsetrue 23542300x80000000000000002131034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:20.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B073E21DDC7443F172770229F3EE2618,SHA256=2D333019C6A4B21F70E4AF2E44D0F39A816577C9F7356E55C7FF0FB4401B9537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:20.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9C1F5F8B32BCE7875022358A7AD4FF,SHA256=D9D40EF5EE896AFCB57F70607BB6DAFC729EEDB8103BF2E90DEC631B1FED56A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F080E288980B599BE6F011EC80D8CA0,SHA256=4E9B0A940B672B996729115C34193AB6C0122D4C2BAD205CAECF9EA50ECE490Dfalsetrue 354300x80000000000000002131037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:13.041{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62332-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:21.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A11711AB365D6A2CEEE38E31968BE03,SHA256=A5937CBB810511DF29BAF9B359F4BAC02CE032CFEA0DC43008A5B95862225A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:21.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9BEDB1CAD07E27842B7B12D0A8E56E,SHA256=FF036F7D67C7F602DE205A860518709A3726C0B00D880F1E932DA9FD81562E91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:22.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:22.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D298F78A96091DE91F2F9549819B0F,SHA256=DC94894A3B163BF9D28FC7121F602FE2DCEDACA8D9D7646E379C91BF5030D5ADfalsetrue 23542300x80000000000000002131038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:22.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E1EA68ED106B1B7E1F40165A7B6F24,SHA256=795C0495CAADC2CD77C6E499A59CC6F7C68F457F0D67700CB251B150150E6125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81439E3D967509F8392FF5C0229E4CC1,SHA256=09213FA41E1A666DE5BD4FAE928E9A49EB56138CA0DC80B7A3B8ADA8E94001E2falsetrue 354300x80000000000000007542335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:04.901{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56726-false10.0.1.12-8000- 11241100x80000000000000007542334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A12ECDF3B9A90E50368EEDA4B397810,SHA256=B4DF59098E058EFD3D6C79C38A4778C4A1178F70F2C10BB1965919D83BE6EF2Afalsetrue 11241100x80000000000000007542332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:23.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7DF87DDB2834815B5866CF9FE10B02,SHA256=366395BC2D6FE911BAC507A7E100185538ECE08F414A9C1882E3D944E16C7E01falsetrue 23542300x80000000000000002131039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:23.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEADE564B6B619912904780F7D6FBEF7,SHA256=8051C7DCFE5A4EDE26E5E0A0AD28087CDCB4646FF1E61AA618DD34A5EA9AE1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.476{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9923MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007542345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.475{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99232021-09-10 17:06:24.475 11241100x80000000000000007542344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.474{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99242021-09-10 17:06:24.474 11241100x80000000000000007542343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8CF1AFABB02C10273F8602EADC68E1F,SHA256=54F9734C4865EB199B7F6F298025C7D77B4E31BA06B4233B5B8C62B28731E57Dfalsetrue 11241100x80000000000000007542341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C79CD5FC68F7840814EAFDE416FA9FE6,SHA256=9C4B9E584844F4C6C9F1D890D3E9B4FD32069EE58B8C667E130F02D430A7D209falsetrue 11241100x80000000000000007542339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:24.007{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D62C61A868304057618BCB8830EBEBA,SHA256=FA0404E7B72A8A5E608A9B217E5E3F71008E66BE5303D8C3A56FA9E672778EAFfalsetrue 23542300x80000000000000002131040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:24.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1708738D32E814F9C6D623D7270624BB,SHA256=59FCBB3CDBC592CA7A899EC0C5B406BA8F0BE03EE8D75B8CC5755A78BF64D8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007542349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.489{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9924MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007542348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A704295B7237C0348B6199657A350A9B,SHA256=07B637A991CF9BEE20E1754DECC93AB0750FEF4BA07D87EE27DBA419A5AD585Cfalsetrue 23542300x80000000000000002131041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:25.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4D9E27A3483844106659E1AC519B2,SHA256=06B88A98E77E67D9220D1AA6D7D8E972852ABEC1CAE8C8F62C174F2DB84572AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.655{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B32631062929E921D6B489186FDEE2F,SHA256=90445622F287E770118093E6C71A5AF017077DF3A38288B37FF682B336EE8CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.655{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BABAE59EBF8C4320663CB41C06F4B5,SHA256=82A19257670757D8BE18E962362EA62F96EA3F2B2E0224BD60EB2EBECD585B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:26.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40767B56F9E79E36EF65864C1CC8366,SHA256=EA37081736432E5443FAB09BDDAF19FAA0EB76C4DF4AC3635A7720D6A08AAF34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A12ECDF3B9A90E50368EEDA4B397810,SHA256=B4DF59098E058EFD3D6C79C38A4778C4A1178F70F2C10BB1965919D83BE6EF2Afalsetrue 11241100x80000000000000007542351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7725E34EB04EA09D88C70F94875FA64,SHA256=47A85CF5689354E8BE72A4213389405DD7021C30440F5DC1CCE0B1E1E3245E41falsetrue 23542300x80000000000000002131046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:27.194{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8056F86386EA5B05C35C44F8D31A465,SHA256=CB7FD569A017C91665A1F56D1A6C979E4F320FC19334DC0FAF2DD30493B131CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.382{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal56513- 354300x80000000000000007542356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:08.381{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51735- 11241100x80000000000000007542355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:27.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:27.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21848D5C460220B87BAE042E15273D4,SHA256=88681DB9CE01C9670FA7749D32C1E60FAED1D3D331B9D720C776FFC6863D6BD1falsetrue 354300x80000000000000002131045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.298{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-51735-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x80000000000000002131059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:28.196{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC02B6844AE1A357EE7DB789C63809C0,SHA256=2F13C1516AF9E9834275BEBE6E13D27C827DFE4D47EC50AB5EDC776E90191380,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFEE2A3B94F271763E4B6E2118F95D28,SHA256=1E40954D92F18A66F3EE1B8875349BD9B3E9ECB25EDDD588F88C486CC7D4BB76falsetrue 354300x80000000000000007542362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:09.995{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56727-false10.0.1.12-8000- 11241100x80000000000000007542361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC02585D4DB4242C3FB61A999F9D110E,SHA256=8EF5AF4E7B17CBF002981F2E35AE507CA86888FAAB367D6D25F202A3D917C2EBfalsetrue 11241100x80000000000000007542359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:28.070{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF0769F662AF32F6CC1689B985AC0D7,SHA256=6C42AC7399AED64957CAAB6117A869043353268EE299097DD02C6C91B9279C4Dfalsetrue 354300x80000000000000002131058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.999{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62334-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002131057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:18.307{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-296\Administratortcptruefalse10.0.1.15win-host-296.attackrange.local62333-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 13241300x80000000000000002131056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002131055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x245d8463) 13241300x80000000000000002131054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xcf18edd4) 13241300x80000000000000002131053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x30dd55d4) 13241300x80000000000000002131052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0x92a1bdd4) 13241300x80000000000000002131051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002131050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x245d8463) 13241300x80000000000000002131049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xcf18edd4) 13241300x80000000000000002131048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x30dd55d4) 13241300x80000000000000002131047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:06:28.016{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0x92a1bdd4) 23542300x80000000000000002131060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:29.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AC5BB68E74AF0F9B29BE2576BE4052,SHA256=EF743DBBE12F945CA566C97CCF0164C1A81EF338F8A343B9FE3877E11E47C428,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F207590C02FE1A625B88F15D8C700879,SHA256=B8F62999E425BA4C214A48E39DDE4FD034D49551EE1B37184D29228D6D65C475falsetrue 11241100x80000000000000007542368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B9E88F8DF0F31B96DC53BE2679EFF0A,SHA256=5C5397402A3FCD70F26C617EA4B2E7E9BAF7655FF0BC89F70AF060A15F37F5D0falsetrue 11241100x80000000000000007542366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE41394EED63F128A49EB5B1501B2A6,SHA256=2C7364ED5A6C66086A3865B4C3E7A399E7B674760CEA03C43CD93B5435192A07falsetrue 23542300x80000000000000002131061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:30.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0085D5852712E875E5149069F1AE252C,SHA256=0D159B755A76080A4090E8B598D253A1180CE309279FD378D180773E8CC4A334,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:30.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:30.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D218E1D16870642207AD0B42BAD7FA92,SHA256=3E131B9F653720156EC7504F1561E3F918667B521F88B15574A74BE03252F352falsetrue 23542300x80000000000000002131063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:31.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEA582D1AFB263E5A5479F571D43050,SHA256=838E462C7BE8BB62AF28148AA2396D125A5E8BE3E85AFEBFD2BB406767787FCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:31.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AAB056BA07DE9DE2D27687F8B6449A,SHA256=25056D64FF7F3DA18AEF473AEA72FB69E48BD1B549E51AEAFBCB39E5B2326C54falsetrue 23542300x80000000000000002131062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:31.119{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F36F20B8D126DACB64CBE57C599C4121,SHA256=81CB0142CD26A8E62C63E9D44EA85DAA5DD1741F821323265FD7820D5C74D06E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C472566BA23C1E50E1ADE921EAB797C0,SHA256=CFB1086A21CF0F6E15CEFDA1B084494306F932EDFB6818EE134F67F7E4FC6CE5falsetrue 23542300x80000000000000002131064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:32.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83F5FB73DD6CFB576A9AF46908CD7CF,SHA256=BC355A6F058295643144A4E48A6EFB11BFA44BE37D694AA35B0253E8E97C86E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:24.858{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62335-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CA5F8E840C86D630DBD4A6AFECC92B,SHA256=CA2DC9AA302FE78103F8A1DD4447A68AA70129274432EFCEF7D091E279E69A3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6660206E7CA5DFDBA02B78E0917592EB,SHA256=2B99AB855DCF4DE4711292AA28FE3B570E26AB9E3563A7C51F384EC75A54CEFFfalsetrue 11241100x80000000000000007542378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:33.195{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A85ACB1DBEC2B367A2D97B170A28CE,SHA256=18F150F4298144AD73DAF334DC70C0A8E60F24BC0873B27E64EDAFA410C6F21Afalsetrue 23542300x80000000000000002131066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF164D5E2EB185C5E3D8D567250EA46,SHA256=BF66B03BF33D7E5EB4700EA6919D017ADF3C5B5FCCE8AF753EC1318C387B5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:33.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B32631062929E921D6B489186FDEE2F,SHA256=90445622F287E770118093E6C71A5AF017077DF3A38288B37FF682B336EE8CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:34.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A50AD661BEDC4B01C7AB1FE6CCC224,SHA256=CEAFF24856F686106394205FE78BDB7CCA40E9C558892289BDC44EB7BFFA4AA6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.494{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D210A5CD579F03521BD73A90442672B3,SHA256=76E5AEF83F5217B8BAD8A60A1A5D992BBBC5EA6DD3E5EC701F2118039F47BB6Ffalsetrue 11241100x80000000000000007542388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAE7F803CFA52B335A01AE0174E2CE32,SHA256=47E3B8F9BA87D0CBF37EFA5EA4085B31EE1177FFC66286477713F50029669109falsetrue 11241100x80000000000000007542386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6995DF67654695D16A04FC89CED222DE,SHA256=933752985010CC5AADD20E549192E8DADE9DF81A2EFBCB5BCAE1D8312FE07C2Afalsetrue 11241100x80000000000000007542384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3D09AAF988A2CE60A0A35AAAD5A9EE4,SHA256=62DE5B84A77614894A59D1FEE141D1B0E501F67BEA3700AC35D4D2B93A0CF7F4falsetrue 11241100x80000000000000007542382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:34.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DBF489D31D2896905A6C70080F5334B,SHA256=411CA627DE32B9ACF233CCA8F59C707538270A3949A9CD5C19536E9A6B010440falsetrue 354300x80000000000000007542393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:16.006{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56728-false10.0.1.12-8000- 11241100x80000000000000007542392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:35.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:35.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8CB48375031A58B390E9E1575E1FA2,SHA256=0DED8A311A87C51EB5959578EA31BB89C9048BBA2B7858D764EAB306D4F1375Afalsetrue 23542300x80000000000000002131070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:35.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B560215EE0D20D1A65BEFC492EFB79C,SHA256=1F17F2E9D93B3B78A1A6E3425BD4F50B6B8936A7DF672B1A8B9FAE06F9901FBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85E1A532ABAA70CF3283E79BFD3F594,SHA256=F785A8162CCB3F0C2572ECF3D95FECE427EA38F68593444D1ECA7184C433B49Bfalsetrue 23542300x80000000000000002131071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:36.211{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E39539566305EA3B8911ED20480E38,SHA256=4B57AF7E7B05761A851ECB39178CBB2501C030CD7905B7CA27442DFD5904A3CA,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000007542398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:37.645{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000007542397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5B5E158F109258482B6C4459F959C,SHA256=B21ED4B9A35AAB55D38852F510C1D5A7132CF9BEBD00A536253FD1740B168A3Afalsetrue 23542300x80000000000000002131074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.577{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.577{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A7D4C961EB6C737955AE09F6903A14A8,SHA256=A94C0B1FF1A846621BA5148D658FC9570FA2784AC7B912C55CE1A3075DD1DE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:37.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701781D9D85DB21B93B895D6FFE1C86,SHA256=D4C0B13D11648CD650DB69DB36E7E4D9AFDBF6ECA890BABB929E1F7730EB68B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A5B0DB9497F64B5910958D5F9914BF,SHA256=2BEBB764BBDD6E27E556BE26BE03BB0BEDAA572E196D55B4FB0648F153852BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF164D5E2EB185C5E3D8D567250EA46,SHA256=BF66B03BF33D7E5EB4700EA6919D017ADF3C5B5FCCE8AF753EC1318C387B5035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:38.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978973D025727211E9A69AB80FA2F3F4,SHA256=BE244C0559BA9B01072D1792E3C772CC6C5F27899F887702E33D4EFE94306BE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C30005274935CB9AC02CD7DBEE27C6B,SHA256=DD03876E8B02A3D42EB1CD9C27829B06686B426272063199A1416AA6ABB9FE5Efalsetrue 11241100x80000000000000007542400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:38.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299E91BB186C54DFFB57A35E6AEB5B0F,SHA256=1E811FDD3BCDDDC8B2A388B81E61A92995FB7EAF79F943817D01FA43C25DE81Cfalsetrue 11241100x80000000000000007542412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D364A55D3164035D8885DCD660EB18F1,SHA256=00C01998583D3FF4F2A17434CC4E9A48701B2AEA26233937C6166E5E158F8D38falsetrue 11241100x80000000000000007542410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F1BBEC32A07F1046875DD819718169,SHA256=990077572EE97FB9DB63D8C51820AC80CA88B75CB055CBD8E8073A7B648EDEF6falsetrue 23542300x80000000000000002131079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:39.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B0AFD03B96A6AFD3E7523294A6ADD6,SHA256=BF53ECB0CF4A4BDA4157B71A1E2A525ED2959F4C8E91BB2422ECB8C471547745,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:29.986{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62336-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09E1BB011DC325964BAF6CCD4E6D6E93,SHA256=1F5D8F50DEC441146106A8FC4F0D01F1BAA55620C68C630D7CC8694A76CD672Ffalsetrue 11241100x80000000000000007542406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E523BB262911038B2CC42C12B889E84,SHA256=2B1C16D307E2CD1CFB698B9DDECA0418143499F6A29819E398B1E1F46CC41874falsetrue 11241100x80000000000000007542404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:39.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3D09AAF988A2CE60A0A35AAAD5A9EE4,SHA256=62DE5B84A77614894A59D1FEE141D1B0E501F67BEA3700AC35D4D2B93A0CF7F4falsetrue 354300x80000000000000007542415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:21.018{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56729-false10.0.1.12-8000- 11241100x80000000000000007542414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:40.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:40.508{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A248CAEF25CFF72E1F8D9F9D163857,SHA256=8CFF246FD6DDC25528E43DA777BF096B867929A6C6495A542F46F6695D2EADE8falsetrue 23542300x80000000000000002131080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:40.219{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0A3E701027BE3AE6DD99B5E2651DC3,SHA256=CE1B84B0B1A0AF5EF586B5DF36160B0E3A1C12022B71479F23D824BCFA92EDD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:41.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AE3D91D4D5FBDA1FEAD60ECB0FDF24,SHA256=255AB1129DFA8D48530AAE4ADD9383B9572D8B066F04DFC779F0AB42DF582FB5falsetrue 23542300x80000000000000002131081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:41.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01F98958F8EA1ECC0648AAC0265E66A,SHA256=F3F9002FCB3403C7741B04C31E378E144C00675E88BF640E4018837D31D5AB6F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007542421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:42.824{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007542420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:42.824{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007542419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:42.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:42.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2B0A7FEFB4349CE5A288CE0B8CB0B0,SHA256=2975526C7C1BEAC75D4609FEF995825F9DA9BB90059FD2EEDFA2258EB3209183falsetrue 23542300x80000000000000002131082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:42.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F71072841B241981AF41D013A018F1,SHA256=20EF4C7D6B4DB62BEE717F4E31F03A38771099353DB873B8F78B3DFCAD23F79D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757C6AB53B8AB041EEA6C43D78E14C0E,SHA256=F3CBF3EDBA7CC6B447E4B3C31F5E69E01C9F7321797140C70E7F6855A49C17ACfalsetrue 23542300x80000000000000002131083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:43.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B445920E11363AD3224BB5E9E6EACE3,SHA256=F85FBF759C58006BF4A9912C08F43CF1A9CEE98783748BFCCD06D0E619647B6D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007542548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007542537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.921{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 354300x80000000000000007542515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:26.045{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56731-false10.0.1.12-8000- 354300x80000000000000007542514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.699{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56730-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007542513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:25.699{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56730-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 734700x80000000000000007542512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007542509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007542508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007542507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007542503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007542498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.905{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.900{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.899{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84890A5874CDBA0D9BF29C002DC0362,SHA256=1935107E8D9C9C48AD5F7119DBDEDAFE452B9DF23F94FC9745EC03C00980C62Dfalsetrue 11241100x80000000000000007542487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E5D029FD1D448FF15E0241A9C3C5A6A,SHA256=00479C892D273E23163C5363AE5F8FCC272FC1F0CF92A5D2EA5765D0220EF4BEfalsetrue 23542300x80000000000000002131086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.391{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106C6CE31B6BFF803AB2D452AF6D136D,SHA256=A4AF25B21D1EC8CD4BF272D02021E4FAD723F769DAAD762A541B6CCE3825C91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.391{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A5B0DB9497F64B5910958D5F9914BF,SHA256=2BEBB764BBDD6E27E556BE26BE03BB0BEDAA572E196D55B4FB0648F153852BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:44.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE783EA5229C0487299900340EFDAB83,SHA256=4295252B10FB921E6B65028AD90A0E90D58EAC16CD26AA2F88DE1F67AC468FDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5868FF58F263541740E122DB12D952C8,SHA256=49DC65DD08DE271C369CA8BDC1CA27AE7529E8DC406CD239226C5FCDB3BF45C8falsetrue 534500x80000000000000007542483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}81805136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.353{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.222{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007542436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.206{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.206{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.201{4DF467A6-90A4-613B-5B22-01000000F001}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:44.200{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A854A65C714452A1EA9C33C7FDCB2AD1,SHA256=5BBA1E99EA50DD724DED2E11A616FCDF48930EFA53DB907680E13FFDAE96E159falsetrue 11241100x80000000000000007542425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:44.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E523BB262911038B2CC42C12B889E84,SHA256=2B1C16D307E2CD1CFB698B9DDECA0418143499F6A29819E398B1E1F46CC41874falsetrue 534500x80000000000000007542614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}54847596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.735{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007542609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B16D3C15C0A560518BECD28E4C5202D,SHA256=35391B46FB2106AA86E4E49F4D2F673461352FCE9282CBCADE5510B973C263EBfalsetrue 23542300x80000000000000002131088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:45.230{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E203BD2F6D00E379FE1C12E2C7DEC0D1,SHA256=F30637F8AC5F5611DAEADD2732EE01990727CBAFF3F54E6004BAAA44DF962AC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF41FFBA4675C6057D84926A353EB72,SHA256=E1942D1B97E5D4CD5A678C95AE59634D8B86BCA96A936132C63655035CA20622falsetrue 734700x80000000000000007542605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007542599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.604{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.603{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.602{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.601{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.601{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.600{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.600{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.599{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.599{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007542563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.598{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.598{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.583{4DF467A6-90A5-613B-5D22-01000000F001}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:45.582{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032AB6BAC3AA38BCDD561CDE9EFB5D4F,SHA256=4F89F1A43AD1A5A8946C7D9BE183E76D4A8FDC91D259306C426E1E92055F1A8Bfalsetrue 534500x80000000000000007542552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007542551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:45.052{4DF467A6-90A4-613B-5C22-01000000F001}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000002131087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:35.933{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62337-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007542732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.980{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007542722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.864{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007542691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007542685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.849{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.836{4DF467A6-90A6-613B-5F22-01000000F001}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 17141700x80000000000000007542676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.833{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007542675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26827CA9063DB8057A972C633E2EFA9A,SHA256=598B3A60623BCC524AAB5AB91D1B82A4BDCF4E36819D87C774F2E9E4EB45A9C4falsetrue 23542300x80000000000000002131089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:46.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8D3BE8DF6D3C6D2EEBDE4AC4B95F7B,SHA256=2F4E5646B2A28F9F9BF98061CCA25D9511A66E9172FA3727EF2116F68FBAD382,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.702{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007542673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.702{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000007542672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9423811990800D8516A9B81C84CCEFF4,SHA256=FF580B044214FE69435E32BF83DDBA672C35E00FA8103FEE6782D7CFB4021695falsetrue 534500x80000000000000007542670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.434{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007542669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}68325476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.418{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007542662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007542660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.303{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.302{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.301{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007542628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.300{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.299{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.298{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007542623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.297{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.297{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:46.282{4DF467A6-90A6-613B-5E22-01000000F001}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:46.281{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007542795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E128F1862B3B7CF424FBF27F08D5E,SHA256=3F4F037F776BF9C03DCDDD0929F960EEA8A1266290127DA2A299858507C6D7BCfalsetrue 11241100x80000000000000007542793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A96182843927762BFC4F1033D037440,SHA256=AA0B022A7BA9357EFF15A234BF73AB51246FC5145E9F1F86AD79EB3E7CA2E974falsetrue 11241100x80000000000000007542791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.947{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61DD0F4F5BF04A7A23B215CEC4E82B38,SHA256=7C157564C140E21637221FE7177625040AA0DA976D836870C0555FA69F8ABB6Afalsetrue 23542300x80000000000000002131090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:47.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8456EC125637E067C41D34025661B7,SHA256=25A76FEF5608C68F6B23D26C17851B56110F0449F49158FA2D138A7F5B0DFD58,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007542789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007542787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}6562932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.679{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.563{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007542778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007542762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007542747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007542746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007542741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.548{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:47.533{4DF467A6-90A7-613B-6022-01000000F001}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:47.532{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:48.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF928016382F3E5AE0B79489D161AB64,SHA256=F975495EB66E33912A6E1CD38A635BD1AD7F4196CA58790B0A26E23D74DC3E3F,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007542852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007542850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007542849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.378{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007542848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007542847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007542846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007542845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.262{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007542843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007542842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007542841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007542840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007542839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007542838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007542837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007542836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007542835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007542834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007542833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007542832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007542831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007542830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007542829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007542828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007542827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007542826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007542825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007542824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007542823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007542822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007542821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007542820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007542819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007542818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007542817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007542816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007542815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007542814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007542813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007542812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007542811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007542810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007542809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007542808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007542807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007542806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007542805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007542804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.247{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007542803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:48.232{4DF467A6-90A8-613B-6122-01000000F001}7572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007542802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007542798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007542797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:06:48.231{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007542796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:29.573{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56732-false10.0.1.12-8089- 23542300x80000000000000002131092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:49.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FD99C408632B85A05148B493C56E9C,SHA256=6739208D0F491DCF030A59886C1FE47B101FD04DB1A7D8A9B8E1B026097FA7BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C3F1B103DF33D824EB156A8D5F0CD94,SHA256=FE668A8643F1CF393A1C0631EAA5085F2CED8C3A30478FE879B209AB87FEE9BCfalsetrue 11241100x80000000000000007542860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4874EA0B958E3682367FFFC1D2B097A,SHA256=DD8EA40088F17C18E7C7EC6D298ABC596D5B0B15668CCA8CF3EB6821B34067D3falsetrue 11241100x80000000000000007542858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A704A1026A56BD4363CE793B94498F3,SHA256=7FE825877486397158C9576FF863974F5A98FB422858B5307BCE347347148200falsetrue 11241100x80000000000000007542856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60478AA25B79AE92C560A93C397151A0,SHA256=F14D817E2A4A00A4A19AC0881031EF71B1063741017FBEC532ECF97F6B2A931Cfalsetrue 11241100x80000000000000007542854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C92CF802F5FF8A85B14E0D2926CC8DD9,SHA256=951FC57673B5D4EC20A0EA45F3CF9D867E5255CD1B2EC5529C23C077AED7AFFDfalsetrue 11241100x80000000000000007542866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF11E821BA55793CBA9E5F8AE57EAFCF,SHA256=ED51D664DB4D1228781A2FF44AF23D8633C44A1500CAF711C216CEB293B72DB0falsetrue 11241100x80000000000000007542864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:50.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49367792F94646C1EB1370B071A28097,SHA256=DFC76090CA5523FBB491D5A43D948A7FCB0DE3935743303663C613238ADD1AE0falsetrue 23542300x80000000000000002131095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.238{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E6266CEDD614453E6CB24F662999E,SHA256=B41A19C2DAA7B77CB0B89357F541CC93E8E53436C58CE1BC6DF442CC1C36FCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B387DD70674BDEF02A2BD0C7F08C5A9,SHA256=8458533B6E1BA7C465D4C7BC6287B514314EC0335131A56E313E4EDEE301515D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:50.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106C6CE31B6BFF803AB2D452AF6D136D,SHA256=A4AF25B21D1EC8CD4BF272D02021E4FAD723F769DAAD762A541B6CCE3825C91E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:51.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:51.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE13ED28C8DCA23D112E3C87503B93,SHA256=1D0ABED4257C7DCF4C112577F2DF3BBCBA7A796DD1CE8355D8A9CA8ED4388D36falsetrue 23542300x80000000000000002131097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:51.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D9D921728822C05400C7357B105C93,SHA256=8DA10A5CD9C520E4DF29B5C3E66624541FB2BBA0FB82FF5F75EA1B8704D9C0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:32.050{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56733-false10.0.1.12-8000- 354300x80000000000000002131096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:41.891{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62338-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:52.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:52.210{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D873F5B55CEB14E6E95CA584907F95,SHA256=CE1675060F894EC7EA51965D3EEAAD896E2BD7F2CBDDCC804535C32CD9910327falsetrue 23542300x80000000000000002131098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:52.243{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A26266CCD19C9243655AAB73BBBB7A1,SHA256=83153F766F9A9A9108AADB97C920FEBEAD22EA8F6F7F4F3EEEF53E39E04ED550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:53.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E103F5C26E5D7A6B3CF358DD1CB8D312,SHA256=ACA36AF2F2D8E9B8579D2402C76A6B1A1D620598040EB097DF4274CC47076EC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.792{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB5C90FD7863380F4C64169F3CB0E98C,SHA256=DC7B518210FF1D582829F2344442331AA5463B2F58C2207FDB6CB20FF52BA465falsetrue 11241100x80000000000000007542873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:53.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F2702EB785CAD08A76A27310C9B1C,SHA256=D77393017BB770148663CB8A320F49ADF3C5F6687437D4C74C1A1136D4B8B183falsetrue 11241100x80000000000000007542881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1B08E320E7EC5B1253556BA45B9D5F7C,SHA256=1786F07C7D725D4E1B5ABC63B52EEF5E951114EFA5C0B866DFD55B2D018E255Ffalsetrue 11241100x80000000000000007542879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E6EDB12161059A3B58F80FF1BE70D50,SHA256=09F32DB3F457862C9085BDB72DBD7BA3F93A4F6F15F47D3BFB2CBA0941BABCF9falsetrue 11241100x80000000000000007542877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:54.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516B4CA67EFEA5B1B9982DCF43D119F,SHA256=764871933CEC6F55B1DCAE690085A93ED246E04AC3DFC6663A9D5E68D01AD358falsetrue 10341000x80000000000000002131113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.663{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.648{AEE49BD1-90AE-613B-8B1B-01000000F101}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:54.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6654C4417B9B093B944DE413B3C4FE33,SHA256=896F4CA019FE697057BDF2E438DFF173FEBEDF38DA8A59F08D204B9560559454,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930F591F3C8D37F5314996F8D2C0CBA9,SHA256=A2671593DEFB1BDC70AE84605E0845BB545F24F0C3A9F48AC6FF7EEBEE39DD19falsetrue 10341000x80000000000000002131143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.948{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.933{AEE49BD1-90AF-613B-8D1B-01000000F101}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002131130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.409{AEE49BD1-90AF-613B-8C1B-01000000F101}24842956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.278{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.263{AEE49BD1-90AF-613B-8C1B-01000000F101}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.263{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ADD43D991B36804735F1CBCAAF783D,SHA256=3A537D1A67E331E6B0EC9E023057515566AAE7DF68C8B4C01210F40F1BDDF617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7432701AC08E1409D783CD5810999E,SHA256=7B2E096CD557FB434E24E590109B0D33E648178C28DB2405F8C886DF9FB29788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:55.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B387DD70674BDEF02A2BD0C7F08C5A9,SHA256=8458533B6E1BA7C465D4C7BC6287B514314EC0335131A56E313E4EDEE301515D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A969DD74EEE7E71444ECA476828D39B4,SHA256=69DC190FDBB3DC1A7B79FA3CE6DDEB2D362ADB0663C8CF4414DCE138BFFDCFE0falsetrue 11241100x80000000000000007542887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8803C4789804943486107CCE99F655B,SHA256=9DB9F00BF564A7595CBD9216F9330CA5577428ED70CDED0992E47D127CA07A18falsetrue 11241100x80000000000000007542885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:56.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30B215AFB3B10E8E123EABC12E045FBD,SHA256=02D489A26E83F5FB2B2EC31D636953753B7CDB0E3012CE113875312A23148EFCfalsetrue 23542300x80000000000000002131146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:56.395{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1558C41002238A86FCE98D9F017A7B8D,SHA256=13BEC29B22C62A9BE10A428056676F0DF35955C059502D1330189D3C9F2D44E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:56.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7432701AC08E1409D783CD5810999E,SHA256=7B2E096CD557FB434E24E590109B0D33E648178C28DB2405F8C886DF9FB29788,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:46.954{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62339-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007542892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:57.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:57.335{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1654E3CDC0BFF3B7FBB054162569C5,SHA256=EBC39E9792D5875E3B77A6A0FA28D1B507BFDF4C8FBF595D5D9AFF0AE4AECCA0falsetrue 354300x80000000000000007542890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:37.996{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56734-false10.0.1.12-8000- 23542300x80000000000000002131147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:57.266{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A061794B56CD5EA76911672A493A05B,SHA256=2E1DEFF75AD430930310F24411DB8E02003B5D3BB3679BCADFA25DB0E928F748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:58.268{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D565AC1D391069963D554985B74781,SHA256=C74DE80FB0CB8A6FA1FB5373AF5F19E28E13779312F177B29C4200C66A5A957C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8426EA46D7B8CF2849A3F869AF7F6B41,SHA256=E6135969BFC3EC8785C39BD113983322896C4EACC2291AB4D665D366C41C16EAfalsetrue 13241300x80000000000000007542908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007542907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2465ef8a) 12241200x80000000000000007542906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007542905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xe1d77402) 13241300x80000000000000007542904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x439bdc02) 13241300x80000000000000007542903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0xa5604402) 13241300x80000000000000007542902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007542901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x2465ef8a) 12241200x80000000000000007542900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007542899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65d-0xe1d77402) 13241300x80000000000000007542898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0x439bdc02) 13241300x80000000000000007542897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:06:58.665{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66e-0xa5604402) 11241100x80000000000000007542896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.482{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007542895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.481{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09F6EDD1EFE650B0D9BEF1BDE92F3446,SHA256=527C9F14D1F799AA4D5C9C36C77BFE8E18D26E62C47E0B0C84917CE1F1E8954Ffalsetrue 11241100x80000000000000007542894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:58.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FFB757597CB9823A76DDFFBE63AFDD,SHA256=3BF52993EEB564664E4DA88CDBC3AF44C57ECA10B663704176DD859493AF6262falsetrue 11241100x80000000000000007542916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A844B0E89F6E299C0B5D747719115E2A,SHA256=53C6B25E095CF44BFD5E70C41D40E9ACFD7479A3F8A7EA854C1603AE84034788falsetrue 11241100x80000000000000007542914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E0568AF324A1A14A9BF9117D4B2189F,SHA256=A33C82BF46830CE375DB7C58F341CE3D938D137352A211D43427D6EDDFB63B35falsetrue 11241100x80000000000000007542912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:59.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3498C23A97BA8B09BF1AF919EDABB935,SHA256=02A65CFF851BAC53C495E1355E6DDE267506941B1F33728723314AD4F3A59831falsetrue 23542300x80000000000000002131149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:59.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB79C941AD5E606481FAEF1DBE1A79F,SHA256=7BB49AACD905F1F5F39592927F38172E6C0C0D01A31BAE3F14B5077511096E46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:00.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:00.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC9CF3753FAC6DB297A19D4F5F093A,SHA256=72F9E7CD326C8C4E144B94C624F9AA021DD05DB897C40F7C9CCE999B318666FAfalsetrue 23542300x80000000000000002131150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:00.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC250DBAE738CB8EC592564577676B22,SHA256=CF8E1B3F1FC672944DDF5676299A8FDC278A38D8073543833ACDAC07F6B34051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED4B97FC11B5E43AF7578B7071605C9,SHA256=73E884F33DEC8F667806D9AF9D84202DF69CAFC54CF72962EF178B901F6BE110falsetrue 23542300x80000000000000002131152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:01.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189253DD8D16A19D4CE78F1BE660345C,SHA256=5AE3FED5DB89ED402242DBA228C16E09EDBCEC3B01BD2209B4319BB80D902020,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E31B554C07BB0EF13A39CBE3B042E8,SHA256=FA414FF60CFE14C06D0BB864944CDC466B69CE30BD42C80A43D8651B755ABC42falsetrue 11241100x80000000000000007542920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8803C4789804943486107CCE99F655B,SHA256=9DB9F00BF564A7595CBD9216F9330CA5577428ED70CDED0992E47D127CA07A18falsetrue 23542300x80000000000000002131151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:01.140{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38ED4E4D688F3AF963DC1E1A85D6E686,SHA256=5A6B6B09E705AE30DCFCD072404466D9DC36CC18600B39CD91D19BA996E9741C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:43.105{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56735-false10.0.1.12-8000- 11241100x80000000000000007542926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:02.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:02.429{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EE7BDB8BCC4E33A04367E689C090C7,SHA256=9467B148D0347FF5B084AA0D90E4C0E4E56128A030267B3EDE8DA78FD3164704falsetrue 23542300x80000000000000002131154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:02.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984A50509B00C954D237E5444DE6A113,SHA256=6FE2358DBC31E26872532F6875A4DF2E0A6B65E159146BB5A09BA4D5484E67B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:52.925{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62340-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:03.281{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE64FA3FE335D06DF397B7CE607B0B9B,SHA256=B36A9E116C8D65C13C93ECD3B51F7C58B4401E93739CDA6B9BD4F5F4978C8C36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DBFBC920A82BED46A9641ABF9A06F992,SHA256=82257C761D3D133283BED362D8203A504497A45D8191585178185FF2565AB848falsetrue 11241100x80000000000000007542929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.443{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:03.443{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9EE490FC874BC1C80591A5C5E580C,SHA256=85358DF7FF81D916A97C578470454D4602E10CE4A466A4F85E77DA1456EF5530falsetrue 11241100x80000000000000007542939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE7478F4CB67EA451A14A81CF1B8561C,SHA256=2F061D99B85B58D326D39F673E4E207BC5216011BEC100AF8A646F343271A1A0falsetrue 11241100x80000000000000007542937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=328567ED1CBAC8CCDB8CCAAD7715EC53,SHA256=D877FF5EC6F1F977FAA12C189F3A0A327A2AE82CBFA1136A65E459AFACA31B2Efalsetrue 11241100x80000000000000007542935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24312F72B05B36C827811BAD06DFCCF,SHA256=E9A37FAA77E62B5809544C690C1F379418312BCC798A5678236AC87EEB15E039falsetrue 23542300x80000000000000002131156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B357CE6F0A2293A32630FAA64EFB4113,SHA256=49AA1A0AF82955DFE282245368C69CF5838E6E8C5D81D053A92A65EBAA9FE057,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:04.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E31B554C07BB0EF13A39CBE3B042E8,SHA256=FA414FF60CFE14C06D0BB864944CDC466B69CE30BD42C80A43D8651B755ABC42falsetrue 11241100x80000000000000007542941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:05.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:05.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3465FC2FAE06D077FAC5D768A0F2AE,SHA256=C92F69F3AFD2EF345CA8D024E79010C0B194502C4EA0476CE700710C2A3409F7falsetrue 23542300x80000000000000002131157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:05.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE85BCFA1E09CB13F1A33BE982C2EBD8,SHA256=9C3A2D9B8986CCC305D61FA3F381947FA12E7A44816ED6DC96EA61CDFA06F47F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1801C45C9DE4D1BDBB696A17CA4DEBBC,SHA256=39FC3644F9CF029B681E5AEF2C9CE2D75FD1EC3D8C07A271FC44BF7194B8CF4Afalsetrue 23542300x80000000000000002131160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30A8E1F0967A6AD1E0D3C7BC5C1ACD2,SHA256=0D0CCA4FBC05EA263BF3D6DE463EAFCEF768F759BD56CEFCDA606A17B2ECCC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB3B59AF0CC6956092A945B6C82686,SHA256=CE08F923D63CA129E7067F3E2658BE9667E1D71293497A2879A24360CE9F70DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:06.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8B69B80C320A84EC2D48B897E6C7DF1,SHA256=621971813F7539263C7FB7801A169C7A097B4E512124132ED6F18156A79006AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007542948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:49.127{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56736-false10.0.1.12-8000- 11241100x80000000000000007542947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410965971AC72E120826F027E7134BD5,SHA256=0B749112E5D1F7B24B4175D1CDD31A94E917F5EADA143298667D51106E070305falsetrue 10341000x80000000000000002131175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.920{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.905{AEE49BD1-90BB-613B-8E1B-01000000F101}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002131162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:06:58.037{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62341-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:07.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FFD36F9C3E350FF7B358EE6EF46969,SHA256=622487244D1F653DFC3547A731ED28086E9D6CC067D87B0AEAF6A6588F588B90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:07.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0D3A42118EE749BCB632054DD8CF7A,SHA256=5EB64B0977B90712AA6DAC958AB0B3E05E386D109C8C7EBCEA574D471F4C0B61falsetrue 11241100x80000000000000007542952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EE097B04C84DF9D6BADA77A6F455276D,SHA256=98A037B5C366E18F51E424AAE900D5CB4BFCE8D5AE00E7A4D3DD12A2E34881D8falsetrue 11241100x80000000000000007542950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:08.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F460731828F54A13F7F5B77BD4558CDD,SHA256=8B58FFF39260B8BF3E7D55E1676860D93A0E4EE9CB67E227856A5834076FCA16falsetrue 23542300x80000000000000002131192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.956{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AB3B59AF0CC6956092A945B6C82686,SHA256=CE08F923D63CA129E7067F3E2658BE9667E1D71293497A2879A24360CE9F70DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.705{AEE49BD1-90BC-613B-8F1B-01000000F101}54125504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.589{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.574{AEE49BD1-90BC-613B-8F1B-01000000F101}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.289{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682C4DC4878023793639EDC3C1A298BB,SHA256=56E7A916E8F97865AD440B0C4438F20D2587DCD8EAFCBA1C071A2C25D66E61A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:08.048{AEE49BD1-90BB-613B-8E1B-01000000F101}58285996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.987{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007542960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E52E59ECEB25F94F20D4461A39914AB8,SHA256=BCD7FDCC980CC12C54F36AEA32D1502D99FCDF0CC33E3B440CF52B9985F4C897falsetrue 11241100x80000000000000007542958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007542957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.703{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB4085065DFB16CAEDE6F9EDC2A10A07,SHA256=B449CF3F663083CDECF4CA04C177601692498EE1AA3ED17C3B756BBDA2582E04falsetrue 11241100x80000000000000007542956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB2AD60ABCDBA77F71533E3C3BB1E77,SHA256=B02623DAA94CD54A48B9C5C55375EFBDC5D8E5E692674B90F325F67BDB73D36Dfalsetrue 23542300x80000000000000002131208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.692{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9915MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.405{AEE49BD1-90BD-613B-901B-01000000F101}42084368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.353{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F8873637E8C4C99D6F1A480509EDF8,SHA256=401639442F68A3DC768A2CF849FE0DC0970C57015F6FF31E833111245A017E77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007542954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007542953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:09.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20EBCD1AB41A20C075E0259CF90F1620,SHA256=9CAFE16DD9CD7A74687D169BB7993776A5D7BB76480293DA2BD5A98E744EB7D0falsetrue 10341000x80000000000000002131205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.259{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:09.254{AEE49BD1-90BD-613B-901B-01000000F101}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007542998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:10.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:10.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B2E60E06D56D936DE74370CE510989,SHA256=E95C1E9C6377B539EFAF0F60A6AC7B8368621F3C5EB8EB40707E180B1BFE8F26falsetrue 23542300x80000000000000002131211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.691{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9916MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.406{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87047A99499FE704860F503F38840F20,SHA256=061E9787254FCFF0BCBC05F24A74907F968EB0FDA0F3732F694B7EBE658254B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.291{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2997DFB7A7A473510CAE2AA20867CAEC,SHA256=00421C128F67DE4E4F041C1842B4DBADCA7317A9636D40CA4416E9B29DBB7AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:11.592{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:11.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACCAF462DD3E0E9C6824AFE5F67A95B,SHA256=1FC12719AE5F08467FA63E0396ECEC862FCCA1541A5D04781869D2B8B05D1B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:12.493{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F8D5397750449EACFFE2E04F6A0B933,SHA256=42EB39DF3B02E64ACB138E2E237C42939DC42740055A74A4364D0E37A82847EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:12.409{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F16C895A97F8EAEE3CF039265378F2,SHA256=C8AEBD70666EA376D4021C6295DEE3F83236CEEEEE7F07B445896B79EDEF32F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007542999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD180F0814822A33E5A68402D75302C,SHA256=1E16DB6AA743A7D2A052D76D681B992C93236B3864D06DA0F4193F769D7FCB35falsetrue 23542300x80000000000000002131218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:13.410{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE4ECB0B9F27CD6BE91EF6317AF5B57,SHA256=336915DBBF15A69408010EE3CD909D7AA3397DE7466F7C94E23D7D04A1E47949,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85DA37F6CACE55D0EDD214B139997855,SHA256=0BF8DAE02F2F9979B4B2B47AC92F22E426B2D55BB476084365181CFBA95B60E9falsetrue 11241100x80000000000000007543002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:13.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F81865BCAEDFC5B44CA49A60AA821AC,SHA256=90FE189BA37F2AB01EFCFCD6B72E9130457D202831FD0B703A78286861E3FA68falsetrue 354300x80000000000000002131217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.367{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62343-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000002131216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:04.048{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62342-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AE2B49A936DD7992DC6657AD9C6A846,SHA256=EC30635F984301B6E0FCB76D1BAD4309471B85ED03D418C6DC976F26516D6F5Dfalsetrue 11241100x80000000000000007543011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B692493EBD368CD5AD81297C0A046F3B,SHA256=6F1B1B6DEC35EA02A5D8757C506C21237A88F63C36CB03941C7DD7BD36496A76falsetrue 354300x80000000000000007543009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:06:55.056{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56737-false10.0.1.12-8000- 11241100x80000000000000007543008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9E82A76678ECC0724382F73DC3F2ACE,SHA256=6EACA86DD760138E773DABDC058FACB44C42CBA68D01D8AAF2D5AA41BCF6126Dfalsetrue 11241100x80000000000000007543006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:14.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C31C1A182846CE0DAFF0AE9D5230516,SHA256=5A5CFA339B43822487F3AC5B8432F317EC91EC73FFD1E3062D4BCBE8C6D6A8E4falsetrue 23542300x80000000000000002131219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:14.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4112E564BFEFEAA472EC500C20F2C,SHA256=5C7A235493E2E7538011E7788D4070952718896B176FFE0DAE91EB3417B0ED98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:15.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:15.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDC27CD54E48E2528510B2AEB3BAD97,SHA256=FDA72FB7BBDC41F733DC8C10E5B115D35ABD718A18B4FDCEFE467D52B1A4573Dfalsetrue 23542300x80000000000000002131220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:15.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CF51E27FBD8CCB7A30DFDF1C27D52,SHA256=6DAD99CD8B77E64C9044B94AE8BCF548696845F360B2A75FEB0B7B4160487F75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:16.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E030890CF25A0332E1F17B9BE85D7C3,SHA256=BE55A1D75BBCE9821DCBF425BEFACA05D8B4A0906768CEE026A6DBA2AFA36FE0falsetrue 23542300x80000000000000002131221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:16.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EDACE6191A112DBFF3A7C942B7616E,SHA256=6BCB0746375C3E6770253195F98F436A3E6CABB7CB9FE42C1A7B519303AA86CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:17.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:17.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FD35974BDB201DE65DE5008FBD1362,SHA256=97E359259725B2FD7E1DB984F99CBB5081E298B1EA32A5A9AB3672F2F7A52F2Cfalsetrue 23542300x80000000000000002131222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:17.417{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF7DF7B9D2F3F97723CA18F7F8F7945,SHA256=86F1458BC76AB8C9D6D964397CCDCE812BB38F67C42E525B2EEFB4D4F13AEBAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:10.008{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62344-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.450{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0545B45C7B7C75E8A97785CCE6599D6E,SHA256=407C54AE90AD47B309480ADDEA59D62BDB6AEBCE8D5E7930844ADB1E526AE145,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.974{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A756CCF1CF271F4258A41B3F5946DD3,SHA256=502736753A31B1C27FB864CB3F29BB2A1DB57C0377C4E3861418CBE59650A702falsetrue 11241100x80000000000000007543021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28450EEE4670D7053C9F83722CECE187,SHA256=99FED02939F16B9D704E4B0B0F1F3E455E0526B8AF48F28C9985B21570BB401Afalsetrue 23542300x80000000000000002131224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C002C8111B7E9F5E72E457C01CFBC92D,SHA256=14301379BB441AF48AA4798CE3D5CD24D0D3E436B6A72C39DD46E67C09B0A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:18.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F05D068C0BAA2E24A6C5BBBC38D1062D,SHA256=08015A8D0C33AF32F28C33A21D8F1834C6128E2A067D8E3CBB28D032DF0BBB70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4ECADF1DB965FC9243C050EC40C841,SHA256=313EF0DEBB785598B92C46B509A5C588C8BD1E1C93F08C2BE3B334DA9AB12B7Cfalsetrue 11241100x80000000000000007543031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D0046BB3A0DA737F0B907249CCB0707,SHA256=ABB8075ED4C59BAC28CE17785E6B9307954280F9C7621EFBD6E05008BE5433FAfalsetrue 11241100x80000000000000007543029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4ECF0FA8B45864676EFB6B511543A,SHA256=CB03125B4782EA2DF6604AA60036F6B02CFE9A24A76BE1B1FCA27EFFE0B320B2falsetrue 23542300x80000000000000002131240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.473{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F39F77C81B640377E15D7D37A47679,SHA256=8A6A4EC56CC3DB13A8F89137499BA177CBA3ADD263CD3AE68B5C7CFD157C507B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.252{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:19.237{AEE49BD1-90C7-613B-911B-01000000F101}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007543027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=698168FE20CC9F3927EE1AA0BFA376AE,SHA256=5825D19732B15A7DCDD1A683531DA2F2B60AAFBE9ADBFACA6504213CBBB1CD50falsetrue 11241100x80000000000000007543025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:19.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963F038D0AAFB23F42DE8CA4AEFD4BD0,SHA256=DC60B664C7EE290D5CAAF88E46DFA50B9240AA0F2256558DC8A1DAD0471B9A56falsetrue 23542300x80000000000000002131242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:20.490{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4662BFF08F469E9803A84355A1F892,SHA256=2CEBFC98B6B71C5E720A35C64F1C3A1CCF882188248FC7A6CC51BF17A0F0730A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:01.029{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56738-false10.0.1.12-8000- 11241100x80000000000000007543035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:20.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:20.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA8174C9899043C85A5E4156998F0F3,SHA256=29A488547898B7EE2E67C7D818F20657A8C975EA301F4455C1AB890140724F4Cfalsetrue 23542300x80000000000000002131241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:20.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C002C8111B7E9F5E72E457C01CFBC92D,SHA256=14301379BB441AF48AA4798CE3D5CD24D0D3E436B6A72C39DD46E67C09B0A055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:21.491{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA4C281779DACC96002850EA3D2BA2D,SHA256=D7B9BC4F198BC26F60A304CEFAE856E2E5B7CBA92DBBC42388661792A13DD62F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:21.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:21.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D60708A67133540B87F2F1268DEBA42,SHA256=A0E0719113D51C6479ED7F68C7FB04F1BE1D42EA1355F17FE70EB2E9E21E3838falsetrue 11241100x80000000000000007543040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:22.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:22.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312CE3CE357478A8D70E24F4FDAFECD3,SHA256=8CF335E8E2CB6CA3A0453CEAE40432E69EA61CE491559D927D26513C3A1A8A2Ffalsetrue 23542300x80000000000000002131244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:22.493{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B867096804683F48313739D2546AA20F,SHA256=15BEFF0914C6C535A3A241F0343873C5BFC82959305352174C2E8B0995A5CB9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:23.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:23.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C06066AD90AC8E5BC908C58C67139ED,SHA256=9210ED9DEF0E191E1A31EEEA18EE068270FBA60A11E90689F2716976CD85C756falsetrue 23542300x80000000000000002131245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:23.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956593D66AD6909F6245EF6245DA8D0F,SHA256=DA0F3AD8AC7FE72E060AE29511799C253183F437661D25C1B8F8B0D384096147,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=650FC3789AFAED8809BC83629A9EB410,SHA256=B67777058619FCC8162E9040497D4A3AA6A23335E0A7D0D2638439DA077001BDfalsetrue 11241100x80000000000000007543050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.852{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.852{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C890BD1A449F15CE5D4542F4D7F2E149,SHA256=80198FF0EB9C6B438E951ED85925DA845387020E7DB6B2F73FC0BE28A1E79ADFfalsetrue 11241100x80000000000000007543048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FF781630EEDEF78B852F69B25AC6A6,SHA256=61911D4F35895B49E1EDD28CAAADA2C719484F3E7A2EEBA1C96924CEBF846224falsetrue 23542300x80000000000000002131248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:24.496{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2914D2C12186AC0E3EA30EA8FB3857D8,SHA256=DBCD19B5326D0A7632094BB866F139C140141A4432A26D3183E83021F536EB93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB99AD8EB0B49ED0053EA798451116E7,SHA256=5DDA3D4DC3F9D76DBFE3C8DE09295D9F11A7A7B79024893AF64298CD6016F47Bfalsetrue 11241100x80000000000000007543044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=698168FE20CC9F3927EE1AA0BFA376AE,SHA256=5825D19732B15A7DCDD1A683531DA2F2B60AAFBE9ADBFACA6504213CBBB1CD50falsetrue 354300x80000000000000002131247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:15.915{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62345-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:24.127{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787295BF27BED6E09958BF1BA54A8093,SHA256=8FAF833C73D5C35F700CF842434171941B51EC53B784F411398E04FEADA2C3EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32779F515A62B1E3039783106CE6BA00,SHA256=26F785B010C881AFDEC972AE91915DEEA28D2E2505C487D6CBB797CA8AD08735falsetrue 23542300x80000000000000002131249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:25.497{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9069CA346B4357A58D7643E6D0C0E35,SHA256=9B3D4B50C91D616E3E46E58CACB2ECB446DC38CEAAED41C4B411FD96FAD129FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326DE87A53CAFCAFA0A080F97CBEDB89,SHA256=03702F492C0968334DD3EDA3DB4ACCE90D820ECDA0DBEEC225E01F973919F7FDfalsetrue 11241100x80000000000000007543062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC42BEEE97D9B404EA031BF527C35BE,SHA256=525597C00083F74435B0C0E5440A414FBEA940B1CD8C11D51AB907B7A9149B15falsetrue 23542300x80000000000000002131250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:26.498{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665330EE766D577190D5E9261000B03C,SHA256=A0DDC0BD0858E7582362AA0B51C54CA007A27D378F128DA9CD9EAB8AF82D9F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:06.973{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56739-false10.0.1.12-8000- 23542300x80000000000000007543059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.015{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9924MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007543058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.014{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99242021-09-10 17:07:26.013 11241100x80000000000000007543057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:26.013{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99252021-09-10 17:07:26.013 11241100x80000000000000007543065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F602E0BD9AD06180676118CDC9836BD,SHA256=28A921C8A4D6B3AA56BDD000308EF151E9B2CD4785AAE66D2EB2F9137603D6A4falsetrue 23542300x80000000000000002131251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:27.501{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907A1331B75738D212957129750340DA,SHA256=DE4DC2935C780EDA48321C17E32EED94E5B8E12859B92E0DF982401A54ABF3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007543063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:27.027{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9925MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007543067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:28.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:28.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F54FB15DA48605F3D7F68D649F6B88,SHA256=BE8FA591069F04511782C205AC059435C2FAAF807B3A946DA529E5F998D05C27falsetrue 23542300x80000000000000002131252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:28.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C729F73114ABB571BBF0BD16E29FD8C3,SHA256=8214A13CD45D015E0A0AEAE91D4DBA64A46E8C69CE1B191326E84159F08C09FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.746{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE9638703EF7C184A1C6C2CFC1EF77B,SHA256=C0FF6867ADE0CA4F7A9AE3A0A8289829CA90B70F7194E8803417DAEB383D98BCfalsetrue 354300x80000000000000002131256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:21.023{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62346-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.518{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E154A02548534D4A00FF327102FF45,SHA256=A8EBD87B3F3AD6F45CDC7E9831621AF480DA223FAB4351B86B19721FCAF81E2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.125{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E164D77FC210F34F44A28CE0F204E2D2,SHA256=1E33C2F7C40B51A18C73D05768C283FDE5E7583667C1EEEDFBA1A638A4C15AB0falsetrue 11241100x80000000000000007543069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=064D56DCA4103690B2B53455C755FC50,SHA256=57659FFB764F251E2A40A14E9DA093A3D63A7D5BACC532AB0E557304D3928CD3falsetrue 23542300x80000000000000002131254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E5652B6084FE22ED7D6A1286AB984,SHA256=587934FF4EC4CEC81D6D6398FD1DD416727C9FCB7B7E059E021BD8269A4ADE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:29.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B044CAEABCE6F24F900415413F311AA7,SHA256=2BFBF6A9C33C30DA5DB8A4B34524EA8CCD2D048A068ED003E124A4B40D87A614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:30.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F47ED07E33C3CE85A3B12C5DC1C576A,SHA256=09E43B04DDD1BAB4B7D716B5435E36E58FD8B0CD7E73F71EB658510B5F6D76FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF9AD1AC515349640F0BEBD38085769,SHA256=920788159715B5F76A2623D15D06EF6773C5EC4ACAB43E4E862CD1D65397264Afalsetrue 11241100x80000000000000007543077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54BA059CF70089119AFFAADC392BE268,SHA256=4ACBC96C84228B62D1522500BB207371D62349F17457D2F27F1F1E9E66A6CE9Bfalsetrue 11241100x80000000000000007543075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:30.245{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA17C322E5C4DB6B4F7349D7FB147C20,SHA256=9022096B3EDD037B46930B72130C0D2F92FD565A25728A2692F1C89089B3AB7Afalsetrue 23542300x80000000000000002131259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:31.522{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF0D2622197EB1267220E698185D73,SHA256=A9F8CB74F8CF3691333F7BEFCEFA76105F1956C45CFCBC156D2483AFED6F64EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3CBA8B5BA93600AFB97A1193F98D4A,SHA256=99D338E351ABA3F0464A36712C25F891DA7DE3A5BDC97624A3EEBBC01034418Efalsetrue 23542300x80000000000000002131258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:31.122{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3A30A53BF969A1713DC4EC40C9D750FB,SHA256=DAE92D805351BFBC0740C717FFCB35E5659F033D383728F8669ABF2F8FCB8DE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:31.160{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D3C919EFEEFFDFEBB4CA7C7B0B28872,SHA256=49DAB26E4322992146B9912E8759E9A03CEECA589C6A60B34CB8EB1C2B91F2A0falsetrue 11241100x80000000000000007543092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04DB04FD00E698F4F74BE60D70D9E7E,SHA256=DB0A4283EF9F8CA16A939685CF432B971B32A44B17DEBDF5EADCDF99607B220Ffalsetrue 23542300x80000000000000002131261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:32.525{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F6DDDD52C09D279665F77D8690A589,SHA256=ECDD13C70446DA2BD1812DC08389965136C084AC1CE85B7902BABA2029B7F556,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002131260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:07:32.309{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a666-0x57f2566b) 354300x80000000000000007543090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:12.996{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56740-false10.0.1.12-8000- 11241100x80000000000000007543089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-10 17:07:32.504 11241100x80000000000000007543088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-10 17:07:32.504 11241100x80000000000000007543087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-10 17:07:32.504 11241100x80000000000000007543086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-10 17:07:32.504 11241100x80000000000000007543085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.320{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txt2021-09-03 20:49:00.201 23542300x80000000000000007543084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:32.320{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txtMD5=192980A0CF480AE714003433BACD0EAF,SHA256=04CFA5EF6E36D9293CDED9306C687A4129A7C44BA0E4FDB83785B19B4B382DBCfalsetrue 11241100x80000000000000007543094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:33.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:33.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C40A61B0D5E0FAE6D69248E0B180C7,SHA256=14658134EF5E6BCF904996F207E729FB084989AD9DD6A53022F09CFF11092A90falsetrue 23542300x80000000000000002131263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.526{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6D397AF7DCA4C8F58F7E871C347BE5,SHA256=4CB3BA441D6C6610A102816A961312A4DC02A1AB2540B96F5015B21E18FBCB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.257{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E5652B6084FE22ED7D6A1286AB984,SHA256=587934FF4EC4CEC81D6D6398FD1DD416727C9FCB7B7E059E021BD8269A4ADE5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68C216628DA04CD4BB8EE75528F5FCC,SHA256=D1935F4C519C25BE9101AC32BFB4A65099AF12ABB370AB0C35E25A53077ECD34falsetrue 354300x80000000000000002131265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:25.030{AEE49BD1-415A-6132-1000-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x80000000000000002131264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:34.528{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F94B7923517F4334DD7CC1E6455BAD,SHA256=0A34D2007DD6E2CFB3C0DDD0CF4740C168532069385A48833CA1027A640A0AA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:34.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=593E9373B3510A402D4062355E9E658C,SHA256=B599A1DD2CACAB9367C86BF0E90A52DE73504DB1D04BF39C37D77A0E3547DEC6falsetrue 11241100x80000000000000007543104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.883{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A64A7ABD088784DF7553110AF8B3A7,SHA256=7A8A1BD28050B3F978CC7E1A2F4839189D5853233F74C7F00CA285C7FFAA13F6falsetrue 354300x80000000000000002131268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:27.034{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62347-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:35.545{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F3D198C724E6E757A703310D408D92,SHA256=ECA959DBC9EF85DFB68EE798F9EE56C10BE733086EACF48DD643FD319F34FE7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC92145BF8D11AC144CA9EBEA8124DE9,SHA256=FFFBC3576499FDD1DE4E8978F67D12416AA5ED6386CDEA84B852D1C8BC2342A6falsetrue 11241100x80000000000000007543100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20E4E20D72BCBE7D78599663DFAEC94C,SHA256=C3A73D41C88ABD61CBFC9324D4B9AB7A7E245DB98B553C3013533FEEAD98A9E8falsetrue 23542300x80000000000000002131266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:35.276{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43CEA70BA21C7861B7E98A056927B58E,SHA256=1327FC73A1A000623581F5403C0005E059E76C09F6FA1CC7FF072568CCC0A692,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:36.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:36.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3483A0FBE83B17F12EF55D7692CBCEDF,SHA256=16F5D87A2106DF3EB420F7B58B35CF9A7AEBF71D0F7679D19218605B10C921B7falsetrue 23542300x80000000000000002131269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:36.562{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FCB693FAA207007A60E5868C5E33C1,SHA256=973D876B17E998FD2CC443E893DABBA94CCCA9B4C6A3A328CD02F3A2A8E45134,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BE5362CB194C92CC5B367CC161FB1E,SHA256=D84A041691B0A1325FB48AA7E584407CC4BF1B2F728A3AFC048514E91A15E999falsetrue 23542300x80000000000000002131270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:37.565{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DFD6A011AD626B90E4755FEFBC4869,SHA256=9581836A6E05873759EB40713A700E5441337CB6EE02192D1614CCCFA065D4D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:18.906{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56741-false10.0.1.12-8000- 11241100x80000000000000007543110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D28C75004619F729FB3CFE21D1DD0879,SHA256=5CCD5113A986724F5C3FC9F8B964011A23DFD7EC81A94427236D376CA8A588E0falsetrue 11241100x80000000000000007543108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:37.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5437D70DE0ADC573F242A5F7664780AA,SHA256=1580B0BFB38BF4BF425522B0FCEE7147E66EF2171F3777380157CA30AB9FB270falsetrue 23542300x80000000000000002131271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:38.567{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41177EBF45EBD740738F49B12F377337,SHA256=E73E8ECF671D1EB5D94CD0B10DE8361A8250FDE94F206E8136AE003D22C27886,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:38.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:38.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FD1D07F482153723331D3D0D5042BE,SHA256=F4C6486F427A3CA93F5B2F42F5D40F04DEC551756BA40234B8D5A5A788F9945Dfalsetrue 11241100x80000000000000007543119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6B9E4CF4E381B7347B7BB1C6910996,SHA256=B10AD9F5E2F6B05D0B85B65A348EE732814B651E1AB68C9E3C18E25497D21F34falsetrue 23542300x80000000000000002131272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:39.569{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB728BFCAC6C728EEF10CBD6894FEF0D,SHA256=D7C67588685BAA7AEF73970BBC28A14250C5231DCAF4A1EE3E053CEA48800965,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF59B419152DE3D3643DD713F94BBD27,SHA256=3E37CEC1BA1CEFB0246A88820D7326204DAE4626D2C399C683087A29FD14EB53falsetrue 23542300x80000000000000002131273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:40.571{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77165753258507683A2A0050DA29D7D7,SHA256=74F33675E54D34A33F6C4971DEDE6EAB4E7591C726EB01D205E884DA22946922,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E656ED4F0FF1A31B5004070293B3A90,SHA256=DB980AEAFE0A0195ED52509C608C859D83F1377F3F46BE2305A2D5CCC9151EC4falsetrue 11241100x80000000000000007543121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:39.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C5E275C3F278660E0C2D0A4D2EA0306,SHA256=FB3C42F074C6332A30AF6ED9E65A50AA03EC5CD9681A4DC7FD0A8EBC624DC4E2falsetrue 354300x80000000000000002131277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:33.015{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62348-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.606{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6892AE716197E19DADB72E7B58C6C8,SHA256=6317D813CD261A4E787C88BD8F3B17A07DB99461D8DE9D381E4EE0EF652E5C2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:41.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:41.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8491269D73ECCC0720D96D6679B969,SHA256=B7F319ADA7C70D1575172976A7771D30CF9509E96D7A3A6B5C7193D26911B200falsetrue 23542300x80000000000000002131275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887F7F28FA3E91763C6EC2EBDE6E1AA4,SHA256=825F62763D29E9ABF91D3E65BCAE151927CD43BD73A22C14F6AA45A0F32B6EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:41.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4C0CA3A091327AA5D41E705E8BAA1F,SHA256=5AFABE776F0BF6EDD06E3D8F6AD759A28609C73749709FBBF74EE00EE80FA0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:42.643{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CE272C2B88B7F153603ABE9E9F89BF,SHA256=F0566D4596ECADDF147ECBA19C2A2D908FA219769BB9DF12FF677806EE1A050F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007543133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:07:42.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007543132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:07:42.843{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007543131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979727906649BF421720DA9818B94255,SHA256=73393AF9718D4CBA14507B63169047123C13E411C155E77A532D4941F7B0FC11falsetrue 11241100x80000000000000007543129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.226{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D28C75004619F729FB3CFE21D1DD0879,SHA256=5CCD5113A986724F5C3FC9F8B964011A23DFD7EC81A94427236D376CA8A588E0falsetrue 11241100x80000000000000007543127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:42.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A25747D5005485A7C4F8D02E18E617,SHA256=7445D259F77363723C1CCC76EB393E72E235E366B5AB3A1563E339F723DC8F41falsetrue 23542300x80000000000000002131279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:43.675{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDF63337AF379DC5E3A812D551D5DBC,SHA256=F09E79DBB282A7D3C3F0C16983111BB958B685F66A58C703E8C5333D97987A2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979727906649BF421720DA9818B94255,SHA256=73393AF9718D4CBA14507B63169047123C13E411C155E77A532D4941F7B0FC11falsetrue 11241100x80000000000000007543136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:43.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3023A728D598CC432F9F4A1E999CD54,SHA256=86B0AEE7E2A5690A885AAA908FE6CCF3782B9A437F1D18EDC52013E1A0379B9Cfalsetrue 354300x80000000000000007543134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:24.096{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56742-false10.0.1.12-8000- 23542300x80000000000000002131280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:44.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1422FDBEC8861D3D9DBA61B0F99ED1A5,SHA256=295C3185CD603F5916783B174661891F840B6D38B75436E7DAA8FEE2AC70A2DF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.940{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.940{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}4246108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.924{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.819{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.819{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.818{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.818{4DF467A6-90E0-613B-6322-01000000F001}424\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.803{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.788{4DF467A6-90E0-613B-6322-01000000F001}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.787{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007543200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.521{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x80000000000000007543199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.520{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=1201A3EE08A0DE851B74948760D59DC0,SHA256=503089C5C43FDB1197AEC8E6DDF376E61E06438D713B58BB068C248C9A0A1129falsetrue 534500x80000000000000007543198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.257{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.257{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.241{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.241{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90EC513D3B5F8456BED8EE2C2BBE08C9,SHA256=246DAE532874A72760500C30895885767FCDC04FB0684C91F74D6698E55E7116falsetrue 734700x80000000000000007543192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.125{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.124{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.123{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007543155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.122{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.121{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.119{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.119{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007543149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.089{4DF467A6-90E0-613B-6222-01000000F001}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007543146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:44.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4484E989721B3F0B08764297F215C4F,SHA256=1DF058EB6A17ED2A2F8BA2418C449A63A6B1465EAB2E039E300874EB961EFE84falsetrue 18141800x80000000000000007543144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:44.088{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:45.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD83BEA53905E20B23BBD9DA6B11A4C,SHA256=5EDDA0C4F8D553A21CEF32C9D9BE699D9CDF4D861FD5A4401542B5486EC01D16,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.470{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.455{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007543309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007543308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5000062267767DC3200B2521DB24DFF1,SHA256=F659FE2106D64AB5691925DFB50072C68F28864E2D12CEAE24C399BA73BA6095falsetrue 23542300x80000000000000007543306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B416229C0CE0502105146C998D48406C,SHA256=3D5300D0E05AC1DC6538CD1354DEB7C05AC70A1B5A7DDDCCED41BB4A6575E624falsetrue 734700x80000000000000007543305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.339{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.324{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.318{4DF467A6-90E1-613B-6422-01000000F001}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:45.302{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:45.302{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30376259340E489302838AD652F7C424,SHA256=FDA23FC106A7249795930B0C51529E7F248834E8A8068D24CE8AED471DEB0001falsetrue 11241100x80000000000000007543262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C1D4BF4FF8BB7C70EC7E4C913D76A3,SHA256=FAAF4707317213AD2E72BA20758FA4BDDB9FF19B696D6974096A5D6AB695AAAFfalsetrue 11241100x80000000000000007543260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:45.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D319E765C3F3A31D2C8AB6FA0B17B675,SHA256=C9CE9560C7466AB27988AC59E7F7B7AD7FBBBE42F62E81CE7AB0CB15A270DB83falsetrue 354300x80000000000000007543258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.715{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56743-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007543257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:25.715{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56743-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000002131282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:46.750{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80536C0D69941FCA37C4111D28FDCD,SHA256=DD4D59853E01F1DDCA0167CD2ADEAE1ECE8BA0AC1ADFA6EC042AF2B5A2903E08,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.838{4DF467A6-90E2-613B-6622-01000000F001}76925348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.822{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.822{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.738{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007543439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.738{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007543438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.717{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.716{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007543395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.701{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.686{4DF467A6-90E2-613B-6622-01000000F001}7692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.685{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285F6F383B58747B482327F9F887D7F4,SHA256=5F48ADF5D622204DFEACF8CF9A8444E96965C9048E387700C2104811B110FAA8falsetrue 11241100x80000000000000007543384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC0C59BACB6715E82DAC3CA077199B5,SHA256=9DC1547612E324B67EEB9F35F5A81DAEFD62195A8DCDA255D5B82E3C45AFFD67falsetrue 11241100x80000000000000007543382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B3F7B3FC7104BE3FDEA1C6D1B196D8,SHA256=CD7923341BB05610BDBACFAE753F907E070E703D582513FA3E883E3E3F4F189Cfalsetrue 534500x80000000000000007543380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007543379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}51486332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.154{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007543372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007543370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.023{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.022{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.021{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007543338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.020{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.019{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.018{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007543333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.018{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.017{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.002{4DF467A6-90E2-613B-6522-01000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:46.001{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6974910EF951592169A89A4C6E3C44,SHA256=0DC83BEFE3459A24FA2169ED00B3652F46905CF671535571464582F46AB2ECDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD9FE3B327657DA25B2F51724A17594,SHA256=766C75397FC8A2D7D9F0068DE36A2B2249C38CA496F093D3B371D485233848B2falsetrue 11241100x80000000000000007543509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE509835061C55B553BE21AE25ABBF,SHA256=9E67436F20AD6FC9B360220E011614ED20F295A715AEA941C09C9EB540D1DF3Cfalsetrue 11241100x80000000000000007543507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351DB768F77C78B672045420B66E9ED6,SHA256=D00AD4C752615795B98DC05A94BF1B34E4C0CD637E440B8B2C01D724B78A742Cfalsetrue 534500x80000000000000007543505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.521{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002131284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712B7E232D197D121EF8A1FDB4EE1016,SHA256=95874FA17B165107E95C1E2993540E5188245ED265BC59956FCA5F0FD7B52DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:47.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887F7F28FA3E91763C6EC2EBDE6E1AA4,SHA256=825F62763D29E9ABF91D3E65BCAE151927CD43BD73A22C14F6AA45A0F32B6EAA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007543501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007543495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.399{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007543490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007543468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007543465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007543464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007543459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007543454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.384{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:47.369{4DF467A6-90E3-613B-6722-01000000F001}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:47.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83501EBDC6D4EEA4EBD020F72360D6BC,SHA256=C28441FD419973D851B0DA01E78F3A1DB2D6708F3303F59B4EB46204A751F9ADfalsetrue 23542300x80000000000000002131287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:48.785{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B623930171E953D3E12BA543B55BF111,SHA256=177DB7AD78F932D40D12DBC20AF5C0FFA876D51990712342408AF28D35234329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:38.956{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62349-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007543568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.219{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.218{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.217{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.216{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000007543564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.589{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56744-false10.0.1.12-8089- 734700x80000000000000007543563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.094{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007543557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007543546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007543529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007543525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007543520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.078{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.063{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:48.062{4DF467A6-90E4-613B-6822-01000000F001}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:07:48.062{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:49.801{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C26E1DC5E8C566A6728ACAA623DD91E,SHA256=450A3BD9D9D31BEC959FC5B7CF09342FF677C29495030B60565F1BDA5585A6AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AD57C89F9F5C4E3F9F8C12AC3713D0,SHA256=3EE59928C1094971004652A18F1ADFA1B8865372FC6CD1308679D2647CDF7372falsetrue 11241100x80000000000000007543575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A010A91C23BF3ADEF7376135712C4F12,SHA256=4C85D0C82D93F3F7CD75B7FA5953D3A4C4CDB4529691AA44FF1FA605846D4843falsetrue 354300x80000000000000007543573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:29.976{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56745-false10.0.1.12-8000- 11241100x80000000000000007543572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:49.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3378C6FF645A3F1DA26957D46F39168,SHA256=3B6EFF899F26F99348CC2875BA123CE623BB7E684C868B8C97F21974A40EBD4Afalsetrue 23542300x80000000000000002131289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:50.821{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159D86B742C1067CCBE3785C495C50B,SHA256=72F356936F4374164745D00C9AFAD69594B0E0B0AD6EBB613681ED0C8D985ED7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64A9271BA2370CE8F613DBC768B2688,SHA256=FD04C2A7E6F040EEDE928958CDF3D825C23BC5ABD8F554A1E2A46E5C9B55745Cfalsetrue 11241100x80000000000000007543581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.379{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A250B3094FB367B49A23C6B7F8C4D6E,SHA256=A20D77CCFD48AC9A67B258929B799DEC38188FA7CAF6F311579B142E4A524D23falsetrue 11241100x80000000000000007543579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:50.363{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F62A134765C66A422346F4B41358F36,SHA256=92DD1FEE85C57965A2B99E62B7D14621EBD34D382548E1C4D5BB429189D96CD6falsetrue 11241100x80000000000000007543585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:51.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:51.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF5BB7A78480B23E15AD471FE553EFF,SHA256=5D6514D7D244BB8C719CCB82A46D88992D856B4C7814B2C4F6E4F05204CF67E2falsetrue 23542300x80000000000000002131290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:51.823{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408285693C59FAAF31BC2F081B8C4FA3,SHA256=A1F1DE2FDFA5A0D17AB31584097BD0C62C26099D671EB89AE0C6ABE6B319BF80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:44.013{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62350-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002131322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.892{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C961E7E35ADA0103CF790FEB988BAA46,SHA256=5FF663B7779B014FF50044A47D176B35153F7C67F2B64C71C8EE3446C66FD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6555B128FF3BEF095B23A3F7111CF7B,SHA256=338A210048412C9CECBF52CE47EF3206D24B27FDDD28691379ED328244C5EF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:52.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712B7E232D197D121EF8A1FDB4EE1016,SHA256=95874FA17B165107E95C1E2993540E5188245ED265BC59956FCA5F0FD7B52DF8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E143DE60D4009EDAEE41ED6B8BB050,SHA256=3D7F813C83BCD3553D77A88DFC6467FE5A3CBD75BFA13CE58B11AA54A72B2CECfalsetrue 11241100x80000000000000007543587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:53.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15836DAD1F464CF8004653FCA9915441,SHA256=573CA6DE0B19AD1AD096D4A97C17423EAF940F9CD59AD8D7610564889C469FBBfalsetrue 10341000x80000000000000002131338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.780{AEE49BD1-90EA-613B-921B-01000000F101}9285456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.664{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.649{AEE49BD1-90EA-613B-921B-01000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1316F7D26521A585330EEF76C3675F46,SHA256=CD3954040788A65DF30EC3E654AD7D238593AB458D8A8A315AA710E3A167285F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D49310F9FE2693B9859AFA1141DA835A,SHA256=7881181B8F8DF4544E3395F93B964A3E7D1F50B77BF8E3A4D0CB4BF5CE4FE4D1falsetrue 354300x80000000000000007543592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:35.001{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56746-false10.0.1.12-8000- 11241100x80000000000000007543591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:54.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F602D5657A2B70DCB33862187DA004E,SHA256=9BFBE3F1D0F10BC7053DBA1D54F091171BFEF6C8C1F62B7B770FE66315592BCBfalsetrue 23542300x80000000000000002131353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6555B128FF3BEF095B23A3F7111CF7B,SHA256=338A210048412C9CECBF52CE47EF3206D24B27FDDD28691379ED328244C5EF40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.334{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.330{AEE49BD1-90EB-613B-931B-01000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:55.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C75B9C4FCA5FE50003923A66971A42,SHA256=ED707452E560B5CE95762EEE191124BBA1C7CF50F0448676C0125E52BA5D58C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD062403FDD77008998D7E88227A21D4,SHA256=F3AD3D0E32C47ED1BAD3D234E3E7A7FB59B309E9DD5893B91E656E787A12DCFAfalsetrue 11241100x80000000000000007543598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81E0037BAB475B5A3C05BC99130C5CEE,SHA256=A41DFC7801C14D4891C5B3D50BCCBF0733CBBB316EFA32777A9CD2EA974DA348falsetrue 11241100x80000000000000007543596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE4E6DDA4368EF99F0783D4E14A7495,SHA256=66D4ABBC1B6A640986C6ADCC62606975DD75B8A77507D0740CE576E55E0ADC8Bfalsetrue 23542300x80000000000000002131367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.766{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B296B9A47D57D8E1510E67AE916A1F,SHA256=92EAA08E409C3EE84251AEC17B85A5D5289986F52B322E0CD9F9BDFCBD5E0D4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:56.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:56.522{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F24FE0B83C8C7D6394CC7647DCDED4,SHA256=CB8421D1B344CF607D5C92A39626C987EB793CC564128B17F341A872241D0395falsetrue 10341000x80000000000000002131366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.032{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.030{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.029{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.029{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:56.013{AEE49BD1-90EC-613B-941B-01000000F101}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:57.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4A6240F979C7E54B784BAB183A3E,SHA256=5657FA3705296C2680DA5528C89D7408F82EDBDA4F150C7F1213B8ED7CAD36F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:57.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:57.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B2DD9F60F871E868F0FA0583A59D68,SHA256=5F055D21DCB993F2BF6DEF8A58C70E6F8328F8AECA17A4CAF00113E8EFF0871Bfalsetrue 23542300x80000000000000002131368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:57.031{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325C39EBF20CF00366DCA7C4653FB8F0,SHA256=B1AD5B49CF6B0F2649A2C1AE5D7BEF66045280F3D7ED21D6E4BDB0E3D71008F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:58.816{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D0F508111D3E13FB4BD9A29406A689,SHA256=E688CE12CBDC525943B8A3545CAE9530A238F1EA9CB8AAF476691941D74277DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484A8A34405DEDEA6C6750E371FCDE1A,SHA256=4810ABF75E4E79FC0E299A368EAD279BA9E2CD6B66F7580C9FC87C21566A4AE8falsetrue 354300x80000000000000002131370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:49.019{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62351-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.499{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007543605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.498{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C90AC667F0654996212055BA8C71F9E3,SHA256=10127D64BDAAE5A96268B165F0EC4D3D59914404CE3E3E2C28488E9FABC8F6B9falsetrue 23542300x80000000000000002131372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:59.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C930ABEDEC1377B16E7C8308621A69,SHA256=D25A96A8FAB6D896B7C05FEA26EDF0FDE049624F7D2B1FF080BB8E8CCAF745E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE09F0F406C295FD45F7857B53DEDA5,SHA256=33DFF4E47EC22FC6C050BB4742FCC6FF4481AAC0A4E0BB7E581E16FAE9B1270Cfalsetrue 11241100x80000000000000007543614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B0A38E039EF2FDA5E6E58B492E015E2,SHA256=DA0D8753AFFD951F01008A9057A334B598C1EF8059DB02D4157A6F41B7BF9A03falsetrue 11241100x80000000000000007543612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC8D0FDE0C8603935DD1423D8D92ED2,SHA256=92B9F3E7B3F6B6F68D546E192012C8408AFC0EC671E142DC02BC01F80974D760falsetrue 11241100x80000000000000007543610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:59.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=496CCCDE41B02C27B12F0B3EEF4109E4,SHA256=A66FA519CA2C9F8EA9D608AFD688F1F6A1C1152163428CFF7429E8BF2AB2449Efalsetrue 23542300x80000000000000002131373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:00.839{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB06544D6F1E0E1D7FFD5854CEE704A,SHA256=0E7DA2E6685401CC8C80546BABB61D92558A5075F81FBB2E333334DA1F876B6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.616{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CA498150352AC3B101F35CB7ED3D7E,SHA256=44394591BBD3E8011B7C30C5A621FABE72D680CD5940D30AC16F96EBB6313DD7falsetrue 354300x80000000000000007543621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:40.954{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56747-false10.0.1.12-8000- 11241100x80000000000000007543620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37DB81182B0FC04B3790856109E3EAC9,SHA256=A3B3374EB58CD99F25B85665434572EC4C61044FA5B2E4604C046BD909DABFB8falsetrue 11241100x80000000000000007543618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24A9E0AFB8F23315CFE3BB879EB8C6B1,SHA256=0B062048947917F1D6112AC1CF86738E0819C78656029F7CBBADC4390D5EC0E4falsetrue 23542300x80000000000000002131374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:01.860{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F864FFA4F3E006D51CFBB73B9C1766A,SHA256=9EAD9824F542911FF50ADD404C94483CED84E508D9F89211821530AFCE252045,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:01.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:01.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39571C2E4B09CFBCD88D4FB337BAD00,SHA256=88CC3382167DF49DCF8ED3B27D3B6986E9393FE49A511C1C891753304556C91Bfalsetrue 11241100x80000000000000007543627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:02.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:02.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16DE62A44454B69F2336138F268A90E,SHA256=6ECD0927F836578E697840504ED0EDCE22F3AC85512074B78EB33A0A47231198falsetrue 23542300x80000000000000002131375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:02.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E203318B30FCFAF9EBDC145A92403994,SHA256=2865A9386247DDFE0AC8CC38A79D91B1D5F8B63D983A8F53DE4A63E66E9EA3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.878{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874D05A64DDA7E8200EF88103DE64353,SHA256=14414B26BD243D31F0652F20C5BD7054CDF53E802BB15FBCB6182033CF5D55E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB77B9666E1D193E4E52C77962A59B7,SHA256=1463EC649C1C0D1117B30EA8F45174F7C9CDC92269F72082630DEAFC19ED36F1falsetrue 354300x80000000000000002131378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:54.928{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62352-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9761C717E608888971992324916E3BE6,SHA256=B155E70E50E56019F49ECCEA87CD6695512CFCF69722CC22AE24DD4BFA2DFFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:03.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D48F453D057363EF4B896AF7021D00F,SHA256=500CE3131672BBD18A460135A22777A8AD33DC3818BAC3C0EF0AAFC00D8C86BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:04.896{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5094E736A5AF43DC20009F70125BBA,SHA256=7FCC937F3668D267E988C8734F229FE2DA767704C230E19A3E28C911B078F2A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F33F3DB46F9B95CF9B8996C5BDEB00E,SHA256=2C1F0CBBBE24FC1C227FDB918C9CE20835F7F6E546917F195BB551BEB41B833Cfalsetrue 11241100x80000000000000007543635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB5838C2ED8F5964E03C89FC52FD7C09,SHA256=E6D366CC38BC7A3CE7DA95CC73BB882391257BAED42AC0AB0047691BE40835BDfalsetrue 11241100x80000000000000007543633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.094{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA2E93DFF85B02D32611A106F98FD21C,SHA256=3E3B835E0CF847029D888C43FA9B03312073239DC1EB9282B2FCDD49AAC1C702falsetrue 11241100x80000000000000007543631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:04.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC8D0FDE0C8603935DD1423D8D92ED2,SHA256=92B9F3E7B3F6B6F68D546E192012C8408AFC0EC671E142DC02BC01F80974D760falsetrue 23542300x80000000000000002131381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.897{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE645C6C3F4CB76E67B31BA605A46B3,SHA256=FB3DA29835F1DD0FAD4210605027969E1442C5EC768E6C16CB54820402F4903E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDB4FC8FC202C8729EFA085E4389484,SHA256=42B3C65C1794B05E5D3157FB4EE0F57E878DF2E76B0183C7DBAB3605C26E12EFfalsetrue 354300x80000000000000007543642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:46.915{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56748-false10.0.1.12-8000- 11241100x80000000000000007543641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6C1768A07DEDC7985981F7CAD1397C1,SHA256=48D28C668E3E0B3F5799072CA5725D05A349C95A5019C21819887D8BBC2DBAB4falsetrue 11241100x80000000000000007543639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:05.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=279C6E02BACC452085B9C5371F537691,SHA256=8DBC125D39736ED2AC9B7300CF0B0D148883DD3763D1FD84F07FF929AC83760Ffalsetrue 23542300x80000000000000002131382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:06.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D82A1B2ED61614C25E228AA23372692,SHA256=4FC8BD3DC0509E597D8B74CEC7455885745A57B8C3FBB7163E40ED8EB7774662,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:06.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:06.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1292198BF0A9C759923465EA30DAC6E,SHA256=6E11D83F2FAA3ED8D2B278C15125340D38AC41933D37BD945BED4DB8128F2452falsetrue 11241100x80000000000000007543648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:07.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:07.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6074061FD85677BD08C93CF97AD85F7,SHA256=350C04FC94E19D9951BB59C2768132612F5D13B70957A8B5E61D5CC3F089A11Afalsetrue 10341000x80000000000000002131396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.916{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.901{AEE49BD1-90F7-613B-951B-01000000F101}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:07.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA870F37DB2D7124961A7F60D1E7C309,SHA256=652F85DC6DFA07EA9C01F1B2B6BF74356B10C45A66E5893670F4147250E22A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.984{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552DFD5C588A3A6438305B943536E936,SHA256=B94177362DDA8CF4EB727E287FBE9B1A47F91412837F08384E13C7E3DFF19438,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:08.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:08.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABE30EA38DFD945188675283F8D0543,SHA256=C0EBA1AA19ACAAC38FB91FC3CD88D5C81D94D970B150E1099B78009C99190475falsetrue 10341000x80000000000000002131412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.716{AEE49BD1-90F8-613B-961B-01000000F101}21843648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.600{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.585{AEE49BD1-90F8-613B-961B-01000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9761C717E608888971992324916E3BE6,SHA256=B155E70E50E56019F49ECCEA87CD6695512CFCF69722CC22AE24DD4BFA2DFFEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:08.052{AEE49BD1-90F7-613B-951B-01000000F101}40045772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007543656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85424F5BC00CF2B90256B43A2E6D31B,SHA256=9D6549FD2BC9A7DB4312987A483B07EA4987603C42C11EF0873C857D19310EA7falsetrue 10341000x80000000000000002131430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.901{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+21ac1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3a6e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.601{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555E448C0C18B9ADC9C54C6F36A0B29E,SHA256=014DDE2A9BF96E81EBCAEF4D925F913EC84EE67BAF1B17DF756AC4DE4F42FAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.416{AEE49BD1-90F9-613B-971B-01000000F101}47044292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.301{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:09.286{AEE49BD1-90F9-613B-971B-01000000F101}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002131414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:07:59.937{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62353-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007543654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13FB0DC41F52C1FFC127858DA0FC395E,SHA256=7DB8CC2D6C232B0AB8065EF0339A4B8069702AA188367EB1FE406449510A60B3falsetrue 11241100x80000000000000007543652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA2E93DFF85B02D32611A106F98FD21C,SHA256=3E3B835E0CF847029D888C43FA9B03312073239DC1EB9282B2FCDD49AAC1C702falsetrue 354300x80000000000000007543665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:52.054{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56749-false10.0.1.12-8000- 11241100x80000000000000007543664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.886{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1056B9AEE0277DF1E5C0225E986516,SHA256=C088BB8F4EBD0509F2B1FE1D7923F1856F3161F28C01F0E74FA0250402835D8Cfalsetrue 23542300x80000000000000002131431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:10.001{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2E5CF3CCAF7DD0948BD9E886E32536,SHA256=7C0F92835523BBBD41162879E1E33B47DD63ADC392C076F0010399926DE6E97D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5D2EBBCA6691F932288B1F08657E9E9,SHA256=A22CE28151E2E142CC39F1EF7EEC2E1E1A2745DA4FE22AEE4BBB85EA36D59287falsetrue 11241100x80000000000000007543660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8153EBADA05F838DF630056E173947,SHA256=0FEC3A45AAAC78AC4BF6F408E0131167FCBD6423D206CB6BF30FC51CD19A7B64falsetrue 11241100x80000000000000007543658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:10.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7A9C02A15E1818CDC2D993F2968F21D,SHA256=89CF96948CA9450E0A4324DD6A5D55D44E90352E54B1550D9937A2B6FEB17D51falsetrue 11241100x80000000000000007543667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:11.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:11.900{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA98D5FA77043FB9C2582FF0A83C970,SHA256=E78708C9230C67D6E51BD575C299C89DE6A11C7D56A0C229226E7F6CC9106484falsetrue 23542300x80000000000000002131434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.602{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.220{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9916MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE2730C6E82393ABF8432A5991DBC0F,SHA256=6ABE19B06ED8F76829F9274BA3E27F54DC8CD403D6C5875033AC60C12EAE5BC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:12.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:12.914{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0246B0977AD5927BBFC35B0F8717ECC9,SHA256=24E8FB24E648F9733FA4DB567FA248EED10E8BBFF8F2F0492FF4500040DBF769falsetrue 23542300x80000000000000002131462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=268F691C5FB7A862EF837A2B15EAF690,SHA256=747EC5FF970FB7983AFBB8BEF45680D0D182C1948FBC3ADAFC11AD683BC4BE00,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002131461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002131460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002131459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002131458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\FlagsDWORD (0x00000002) 13241300x80000000000000002131457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\TtlDWORD (0x000004b0) 13241300x80000000000000002131456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentPriUpdateToIpBinary Data 13241300x80000000000000002131455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentUpdateToIpBinary Data 13241300x80000000000000002131454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\DnsServersBinary Data 13241300x80000000000000002131453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\HostAddrsBinary Data 13241300x80000000000000002131452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\PrimaryDomainNameattackrange.local 13241300x80000000000000002131451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\AdapterDomainName(Empty) 13241300x80000000000000002131450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\Hostnamewin-host-296 13241300x80000000000000002131449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002131448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000002131447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000002131446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\AddressTypeDWORD (0x00000000) 13241300x80000000000000002131445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseTerminatesTimeDWORD (0x613b9f0c) 13241300x80000000000000002131444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T2DWORD (0x613b9d4a) 13241300x80000000000000002131443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T1DWORD (0x613b9804) 13241300x80000000000000002131442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseObtainedTimeDWORD (0x613b90fc) 13241300x80000000000000002131441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseDWORD (0x00000e10) 13241300x80000000000000002131440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpServer10.0.1.1 13241300x80000000000000002131439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpSubnetMask255.255.255.0 13241300x80000000000000002131438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpIPAddress10.0.1.15 13241300x80000000000000002131437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:08:12.773{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000002131436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.219{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9917MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:12.019{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350FD045BB3F65780FDC946077DB0BF,SHA256=8B4089879E51A32E0E31106CB40E91832B64461BA9F889E742FA18548BE96DEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9847750444857997BE3D40B6BB9A6E70,SHA256=695328DC77153C0127506B4E72FADC7EB70F72D8132623D948D17A86F94BCBB5falsetrue 11241100x80000000000000007543671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:13.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F40D42CA7F30123158A3E3D7C1B60D90,SHA256=4981BCE4302366A078790AC889D3BD1E54C1B7E06E4A2D25291B286B49284E5Ffalsetrue 354300x80000000000000002131464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:04.393{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62354-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:13.020{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53299915DF8622DED3B26E7953CB6E7C,SHA256=A8EC4F0A6035FA179FE35DC9A476FE4C1E9251A74770EF1670323457498D3464,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99418BC1C8887BDFD0A417CF1EF77619,SHA256=987424F9A684B42A10D7F0D94AF51692C2DF7FB3DE23309B62FB48BA11D4F6AAfalsetrue 354300x80000000000000002131467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.563{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x80000000000000002131466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:14.174{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C6A7BF4D9EB867B2D3C306135BF039,SHA256=D737C61AD4FBCAD83DCE3C4CC9E1A58D30628D45767B8D2E5E97A5780033E133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:14.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797D8E69E4922F89A796E413AC8825C4,SHA256=3AEC49D3D2CABB638C940DCE7485E349F337EC849AF67F067340303CA5E8029A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.653{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52563- 354300x80000000000000007543676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:55.651{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63748- 11241100x80000000000000007543675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D35BA98BCF0FA8700D1D05D71DB24519,SHA256=8152524D8C3CD46169D7C6F72E5D08C52FDF7EE6CB201DF9896AEDC9306D6CF4falsetrue 11241100x80000000000000007543685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F7B06B0450F501AFFF7E33397B486D,SHA256=822A42240A67CA19128AB31F44F53A9A62AB3AD242BF84D43223E0C55AD1FD04falsetrue 354300x80000000000000002131474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.941{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62355-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002131473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.571{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-49553-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000002131472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.570{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:106b:c688:c3eb:2063win-host-296.attackrange.local49553-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000002131471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-296.attackrange.local60806- 354300x80000000000000002131470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-296.attackrange.local60806-false239.255.255.250-1900ssdp 354300x80000000000000002131469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:05.569{AEE49BD1-D528-613A-9105-01000000F101}5388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local60805-false239.255.255.250-1900ssdp 23542300x80000000000000002131468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:15.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28539B2E880898C4A9678699EB5D9F57,SHA256=7AAEE11B58638BF1519BFE16CDEC08AACE7199C3D07A6CA008AF8106DD29127A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35CCED0E927FF49261B8638B799AEE8D,SHA256=6BACE85F7A63C17A1AB1C6AE526F1848A8545E2FEEE09C1F25C3FE308D96769Dfalsetrue 11241100x80000000000000007543681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:15.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5655EA71D04A67DACEFE1B31622A4ACD,SHA256=3040094562BA43748DA4B9796626C2A9F84AA7972485C32355AB6EEF5AA8CDBCfalsetrue 354300x80000000000000007543688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:07:58.029{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56750-false10.0.1.12-8000- 11241100x80000000000000007543687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:16.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:16.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B676DD5ADB112E24BC7B0699DD7B05,SHA256=099EEEFDA2B7CE0941E76D21708A4940FF2CB76EB2E2D8A9502A355A28F51AE3falsetrue 23542300x80000000000000002131476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:16.774{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12E2CD55F49BE554B7982F2767F93F3,SHA256=92446D24CA2D71929F34CE0A9A53205F18CCEA5D5631870B248071E5ADE9E71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:16.055{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E3ADA7F82A51FD650145954D05FB44,SHA256=053B83D8CCF0DB8BA92168084108D3FC0ACD023690A633373520A489312EF11A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:17.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:17.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9670BEA2133D707365F77D26FA60597B,SHA256=575837F597A4789F9A6547035A6874969FF2961C6FED34A4E49AE9B12EEE2FBFfalsetrue 10341000x80000000000000002131478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.858{AEE49BD1-4159-6132-0B00-00000000F101}628920C:\Windows\system32\lsass.exe{AEE49BD1-4151-6132-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002131477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.075{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847233729BBF98469C60AF387FE678C9,SHA256=F8EBD7833E46764316119841624743F7F37582321F2DF4842402AC3A57911989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:18.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50494364827E2597A21DC4094CFDED96,SHA256=31BEC130C0874BBE84B8DC9844C97DED32B285CA41E2B12E5AD7E69C91369E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:18.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADD85A2A01F7BA9DD248DE3167FB63F,SHA256=230FC24E6B60361008DA6222C834E9B50A5A8CF6C9D4B006B240545EA2FD95AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73854A0F1963CD1690455EFF9B974D27,SHA256=DAEE294076E07DD8A02EC942783B8615474FA2804E49F67387928D791C3EA12Ffalsetrue 11241100x80000000000000007543692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:18.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5763153E9103CA291965B507C37E5C1B,SHA256=37C0C0CABD0A2CC3EEECF22CE4922C92BD98AE452F5B3F9319D40CE34472FFF6falsetrue 354300x80000000000000007543699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:00.727{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal62356-false10.0.1.14win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000007543698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62769D6F84E38D55AD25549354F27375,SHA256=9F6ED9B52771797E35510A4AB7858596C71EC5A3FEEE2940F28BA81B5E2BD705falsetrue 11241100x80000000000000007543696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:19.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F4105E267AFAA285D1CC39ADA8E8D1,SHA256=7D44D034A316E07EA245D3661AF0D9343E1D11A45DA5EAA4B24538F6F06A7C31falsetrue 354300x80000000000000002131495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:10.646{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62356-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 10341000x80000000000000002131494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.259{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.258{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.257{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.256{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.256{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.240{AEE49BD1-9103-613B-981B-01000000F101}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:19.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6BF0ECEB6B6EB8837470EBBE5B2229,SHA256=F8844A364E2DEAF8DA70C9F8FC522AC1CCC19214DBFFD31DDABE4D6A2DE85E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:11.848{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62357-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:20.094{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5A0836F09F502800D97C6950C89B50,SHA256=AF3ACB7034C6946B0EB5F483968337B86E03A661082BA06DACD3DFC9530A419F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E6D934C0F40351C88E1FA4360EEA39E,SHA256=D6350127554B66F6F3F0B5E97212F82251676E13FB303C0FFA53C75C08B3387Afalsetrue 11241100x80000000000000007543703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFAC12123C56B03A9A0B70CAC8E072B5,SHA256=A7D9989CB2EAF25206C84703A82DA62082E14E9E618A5A40B202EA0E85C8AA1Dfalsetrue 11241100x80000000000000007543701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CF1EC0FD934F1ED8221D263F265C18,SHA256=229220E24D88D50B4D6FBA8B033122373D13A1EBCF9F78939D17E974650A592Bfalsetrue 23542300x80000000000000002131496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:20.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8595CF131898AF5AEA7EFC8177F3B84B,SHA256=B91ADC2119B4B253147C20F9AC9B0C5D28C8222E0AFBABD678B0857704AD2FA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:03.036{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56751-false10.0.1.12-8000- 11241100x80000000000000007543709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483F887EBA757B62A5031B10ADB996F5,SHA256=E9A1BC05F0C2158FB561D951B3D7484F5C491939F1A184DBF076945C4E804067falsetrue 11241100x80000000000000007543707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:21.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F251B0CEF7198FCC27A0087BF56663,SHA256=435272E11D6D5F09D77F01E962B90DD60CCF3C0B9CFE5053E292C500E9CEA03Efalsetrue 23542300x80000000000000002131499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:21.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404D878F6D4007AE83D8D1E856898F6F,SHA256=400E0D57AC2168841A5BA3B424850E80EA0FF15926953AAA7447DC68FC7EE125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:22.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:22.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CAE10E6F753A45E50F2F1BBB1CC331,SHA256=A84B32592CE7A4B90C9EFC8E0AB8EED28ED196C080BCBD48198CB644F468F1DCfalsetrue 23542300x80000000000000002131501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:22.814{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289B1F68B959A54BA3B50A7A38155E3,SHA256=FB312D9A17BE032F8AF1BF3510CF2202BB113F4A74A3DE17C2072DFEB49E7DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:22.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A07D3DE309146AC5943E6D80D955CF,SHA256=63671FD2860BFCFB794EDE1DE58215B916E97B5162693C3AA5418A55E6BB3A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:23.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DE1E98BE89F734AC19D47EFF2543DB,SHA256=0ED05B30E84AF0773A08147597438EB6CE6B6B7D58D18F4D8ACACDC0166E1A85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:23.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:23.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB9BAA9D8EF6C4B05BC7E99373019E0,SHA256=D69038F3648D00D542D2A18A38ABC94760167CEFED16ECB976279F589B3F8E69falsetrue 11241100x80000000000000007543720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B370B0E36E1CF533E52FB89868E2E4D9,SHA256=8C56912D1CABFDA005E974C86DAA06E023FE90E77025251C6641C7BCC4D63D01falsetrue 11241100x80000000000000007543718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7787361FC371E6EBBC86FB38C45625,SHA256=3A4E4E01CDCF4E8F98851DBAE7FFE8198E2D850D3C2102F81FD1B4577F65893Cfalsetrue 23542300x80000000000000002131503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:24.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4940A8D261830C1E54F7C55CB0D35EAA,SHA256=9788E11BE50274125C91AD05F536EADF2457EDDDE2CF5D016EBEB8BC607259F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:24.096{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CF2E8A158D4E4D7AC47FF9712D88CA8,SHA256=EB1C21152A83F7D57E6A3F79ADB529066867689FED320E1400AE12FE93FCBDB7falsetrue 23542300x80000000000000002131505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:25.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35ED1080FAEA5669B7518EDCE3940770,SHA256=943DA9089919494685B5708126581E61B5462ACAF0752A7465A4CC80A47C912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:25.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35A49419BBCF6B465CECA83E48D8ECB,SHA256=7CFB32B125E16688DCF436137B998E2E0261EFCB9818700D1460354930203C9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E0879B3C17168BAAE04B4120C86DC23,SHA256=DCFA04D3E6D188B8BEFFC4882AD3933DA809BA77EB75DF8D67390C2B478602B9falsetrue 11241100x80000000000000007543724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA997B07272F8E746DA6000934B35E8E,SHA256=5396563A8C370BB58BA6AF0812CBBCE7EC5439729AE866244C9D115C974F1FEEfalsetrue 11241100x80000000000000007543722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5C91ECD982731AA5A2A7832C05D711,SHA256=FB9DEE3A529D206843EEAD2FD107FE95878E03291C0A99206D0DDE73E51F91CDfalsetrue 11241100x80000000000000007543728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.277{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BD83042089D06A58225B66747EB80D,SHA256=2A03132F9A13D741FBC071BC937601C60E90C984B47470CF08D52DF8FE728398falsetrue 354300x80000000000000002131507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:17.006{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62358-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:26.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773E79785E92F54B5AB63EEC5C037284,SHA256=52D8A36B157B4588E5816BA8BFCFF3967EB9C0FE270CB2D5F4EBDC484468973F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007543735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.556{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9925MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007543734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.555{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99252021-09-10 17:08:27.555 11241100x80000000000000007543733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.554{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99262021-09-10 17:08:27.554 11241100x80000000000000007543732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ADB58D6B4F0F81C64BCF77E6C6ACBD,SHA256=AE867DE83BCF7CB385C7015D5C0D0FDDD5304CB59902D7560C78ED7B88F8F5A5falsetrue 23542300x80000000000000002131508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:27.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FC88C79785C11465A19C2ED92943AE,SHA256=0E1AFB1805020D589C0049C15A3858DF97D733EA2E0E424E39F5E0387C3244D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:27.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389977B9EB735EB2C326C386CC75D1F2,SHA256=B9738DB536841F56C4B802F6188630942BD8265881C534D116F843158245B1CFfalsetrue 23542300x80000000000000007543739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.575{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9926MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x80000000000000007543738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:09.027{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56752-false10.0.1.12-8000- 11241100x80000000000000007543737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:28.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA323234ED0135C34E6996334DEF3A8,SHA256=65B2CCA6573C4B0B9F84BC8349014AAA434F26F0DE5DACE9419A23995F113735falsetrue 23542300x80000000000000002131510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:28.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4CA431ECBF950945FAC4D353E3F46F6,SHA256=D202A8D3F74F236EABDFE375DC38013A09B4E944EB63439C0A83B38F1A5B9E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:28.239{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BFEA728BB46709BB03A0F7848967E4,SHA256=5A39B9EF36FFE9246A9A381C4AD639E83C149732E8D5F58F6EC738A81710FFED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=513E57297426BD43B1713AC0DA218503,SHA256=D85B723BC71B03F19BA0A8134A2571D937380EAC6EF3F4A174FB79C3B27B3EB0falsetrue 11241100x80000000000000007543743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.336{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84133E698094F7C30BA1FF3F917275FF,SHA256=E60C4AB9AB3CFC369C2E4E34979EE97A98A310994596EC0192C1E146FB00B508falsetrue 23542300x80000000000000002131511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:29.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206674480C18E08B4951F0F7E207EBE4,SHA256=BDA10A5469E641D22F5E2D08F616E75F0557B67C6C1A5FB315E9485C8FCF67BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31341EFA73C8C334E5CD4CF05F91252F,SHA256=4D519D9243835C07FBB1D907AFBBD0CA815CD84222F877EBCC4DBA5865BB6745falsetrue 23542300x80000000000000002131512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:30.276{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9422CDF7D4BEB962B480B4D3A358C7,SHA256=4A1AAC9F8F46E96466CA5E184206355E10AB9ADEEA85331E0D8D3F73A0C71845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCD10C5E78AA9BC92590C342767415AF,SHA256=B07DA432AB66E6970679F07FE39EBF6B30C4831FBCF5B010CAD9B8A39F8A596Efalsetrue 11241100x80000000000000007543749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9FB6D68A6C3AAA1FBEA09BF30C0B7BDC,SHA256=7C281A987E225C5EE97C2041130DF98391CAB64EF3A60A247CCCA2745C431A3Dfalsetrue 11241100x80000000000000007543747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:30.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053F4943AC58351B84172A6CE61BCD26,SHA256=2C2366DA712CB31EE68B6A7262F010877834D7FB12AF8538CCA5E01D30485C97falsetrue 354300x80000000000000002131516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:23.018{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62359-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.280{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C76C9377F8D0484351B81251047942E,SHA256=DCD5B9E933773DDDE69003352E1FF697DB1A5135C0DA1EC24523A747B57220EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418C5C425BA2580A5D1FA757A4E1F94E,SHA256=E6A8664DBAF2F64BE5C4056464ABCE60A341304C54EA69408EBC41C5EEA93E2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:31.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:31.386{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5916A0ABD5C723EAD7C731A489E8F65,SHA256=8E1C14A24492A10B7DE9A7202604BF6D452B79800664D1DBD0A22BD649330E61falsetrue 23542300x80000000000000002131513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:31.130{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FE8D807940F022F36C68759D2D4AE9AA,SHA256=ABD1E1EA9D3FF7610EE8300B39156C75BA586F1617987BC094EE8B8A2014DBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:32.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384EF0ED192DFBEC047C7949795AE2F6,SHA256=3E1749FEDE8CF61AA49420C16FCA1E2BAA932D12B08EA5CB2E2E561F6FB78261,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.416{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D27CA1DA89752A3D6A8AEE00DE3C328,SHA256=E6F7C7579A4421E30C669595D1A4793D2431ECDB76093D32F31C5F3414267D8Cfalsetrue 23542300x80000000000000002131518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:33.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6518FD43649BAA781566D709386C1029,SHA256=2F882E75C75B6D555C70A328D9D752055715B893F497B2823ACC4D13821207C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E36C9AC6131FA032144BEC6912CA21,SHA256=F4501C76911686C5DFB569CD924EF1B62D4D2763E942D5836C628C4C2784DD51falsetrue 11241100x80000000000000007543757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:33.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBB04985F78D0FA7D6D3CA02444BABE,SHA256=E9E451549232DA1EEE7DE54C68EE40A2359E45DB6B4CC92ADA4B09754FD48F82falsetrue 11241100x80000000000000007543764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.628{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=24C16EE38F47A7D2565821876E328C6A,SHA256=609843D1126CDF6CCFDD5FF1D0EA0CF6FEBC49C4CA82E4A130E3ECADBDF17056falsetrue 11241100x80000000000000007543762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:34.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC17D16B520B3796FD24A70FF948DB79,SHA256=80C4B4138116A15DC4832B5D51E83DB9D2CA2D18BE5EF02341BCD5AF44DF2D1Cfalsetrue 23542300x80000000000000002131519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:34.352{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02431E2EE7F6C34524C09BDCA448AEE,SHA256=486F04EE75550C6E653D8978C77B4AC3D90E8AC74D2FCFA2BB80CE3EA36012A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007543760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:14.987{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56753-false10.0.1.12-8000- 11241100x80000000000000007543770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA30B7700786256E07D3D43BFEC841B6,SHA256=145C291E72246D0C03827F63CDE5C44EC4087E5D0C3E274E318042FB4EBA4C3Cfalsetrue 11241100x80000000000000007543768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93BAF4C70B92C5FFAF91A5DA3EA15C64,SHA256=88056798CB037081F1C862F9237E1DD75F9788F8FBC8E46A8AF996302C9CA885falsetrue 11241100x80000000000000007543766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:35.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29F7FFF439FD388325333E21AE2EA73,SHA256=F513FECC1D960848EE3E2643AE96ABDCEF9146C572773FE181C3E66592CF2488falsetrue 23542300x80000000000000002131520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:35.354{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52684FBD75208B3AC00C0639CACE83A3,SHA256=2334F98A14411492A6A6C1A8BF36787C82891C6EB12F5D43552BE3B439BC02BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:36.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:36.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06C0FA07FBFAD3A448F36453D5D38FA,SHA256=096FFEF74D2144461DE715CC79228F6EDDF0B1CDE98146F0F9D8DFB41ABA4411falsetrue 23542300x80000000000000002131521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:36.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B182F8AFE19BE6006B98703EC65C059E,SHA256=DF3194DB726F9BBE5201901544B235CF04DA120484EEFBD5A647265F4EEC7CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:29.031{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62360-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.393{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4056717896D0B30CE8B8B4AB5111E16,SHA256=1745808347CA70C4C5458310DC8887751A72786FB1FFDD3B081AF6DCD30DE40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C03DFA8622B18A0C4B4A4276F2A383,SHA256=7E6CA7A29911EFED2D7FA88EC242A2B9E6B3B3FC6529B9CA90F48EB7A5763988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:37.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA439E3B216B5A8316FBD5861CF70EAA,SHA256=0E3DFAEC974FADA967AC99398A563DD412304B64FCA7A4F1B01DB614DEAFFFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:38.399{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5201C64EE34E6E5B3CE36974DB275,SHA256=129977CC9C369B48E0CAC3C945E14A1AC7344088B102CD6EAD711BE4000E2731,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C449A3D09F8D7E6583AF05398861CF,SHA256=DF9304EB97070458969070CEC2F936DDFB82E13A818F3C9FED69D58D6EC2868Ffalsetrue 23542300x80000000000000002131527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:39.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724EB7D7782F2B4E53AF19B605E531C8,SHA256=B79CCB373786C48CFCDB879BEFFA87DBFF6B5AF1DA0843607D1B0F926BD7846E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14529F68F4046A583D62546CA1D671CC,SHA256=485B3AAF30559E34DD6433FD39A3590C249C9329DA3E05F2D6747BF0D8158A7Ffalsetrue 354300x80000000000000007543781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:20.962{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56754-false10.0.1.12-8000- 11241100x80000000000000007543780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5016FA8FAEAE8369A196E1E9E499D3D,SHA256=C5E1ABC4EFE9A856ABC3FAE0EFE1EE1645DCE813BD3676966652E9E14542E3ABfalsetrue 11241100x80000000000000007543778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5FFB864D6041BEC22565CA97C504AC,SHA256=8F948486F6857150A18CAF83814E574B59F77ADE7A5767EEE214EC7B9962345Dfalsetrue 11241100x80000000000000007543776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:39.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95A2DF6F31D8AF681CADF6995DCDC97,SHA256=5D1EEC5E42003168DFA8702ACC3A595E232885C5DF8EA6E5BD82965D35F5A98Cfalsetrue 23542300x80000000000000002131528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:40.500{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7BD59BAA00F7876992120503A6CD3F,SHA256=2A3ACC620CEA80C96F70D615A8210F22FE4B8E006FC4B3136E2948EFADA1C350,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34EA92497F4D33837CE395D4C33E6076,SHA256=E71962874793D5C7A9E029B18799B08184C6627843AF4C0B66AAEC3B2D992222falsetrue 11241100x80000000000000007543787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12DD9C999813CE8BA5053BEF7E480777,SHA256=52E161EFD58EF740533AF04207BD94408911B343FBFC69D97D72F3A8A0A24969falsetrue 11241100x80000000000000007543785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:40.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F6071EED8AD224E176DB6D26E21DB8,SHA256=D04F4E2E9BC6A7BA87CE4CFCAF3B45602753FDDC39F84EA1ED4D281C1C722CDCfalsetrue 23542300x80000000000000002131529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:41.502{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FBE95A9D4E897C4933275F376D08C6,SHA256=D51C83BCEFEFC90AEBA23A0EDCA70A08EF32FD0B56CA9E39D875769FA3C5734C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:41.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:41.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1066A20A8639673D53E1A58CF34331A6,SHA256=5308A3746E7927023763E10D4DCAAD6F0DBA6C6DCAF9D536029F88166E30CF93falsetrue 23542300x80000000000000002131530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:42.505{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC801F32A168DC7BB108D3277BB6CDF,SHA256=1274D503A20814BA0A79883BFCB1E9312910B49F356FAF6396A594F77F57A7EB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007543795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:42.853{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007543794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:42.853{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007543793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:42.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:42.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C05C4BAF7812D862FFB6F72D1C5A3FA,SHA256=4CD6832089A79337597B13E7B4AC55E06B28FA83DE153B99ED219CA798BE94E8falsetrue 354300x80000000000000002131534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:34.992{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62361-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.525{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0602FC69FA618E56BB29D3CFDF92C,SHA256=4EF55388D86F1076ABFA71ED61CF52BBBB9E6E967C81C7C40C7BF17DF49FAB65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.867{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5016FA8FAEAE8369A196E1E9E499D3D,SHA256=C5E1ABC4EFE9A856ABC3FAE0EFE1EE1645DCE813BD3676966652E9E14542E3ABfalsetrue 11241100x80000000000000007543797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5219240D18D4D181F1B6C37258D81C7E,SHA256=5DB28F9335BD91AC768B712095311617E5F8A1ADBD4DCFAF66C195BD768C61AAfalsetrue 23542300x80000000000000002131532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4615D9CB0306833F52A4CD6BE2D3DE,SHA256=4FFA36290CAC72364A60AEEBECBD545B3F271D59F8FF701440A0A3CB64663248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:43.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35C03DFA8622B18A0C4B4A4276F2A383,SHA256=7E6CA7A29911EFED2D7FA88EC242A2B9E6B3B3FC6529B9CA90F48EB7A5763988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:44.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C578FE0653BBF5A64363BA1A55B9B1,SHA256=B0AF51D5DD7EC98822669AEB2C39A1787DCDD2DF6D9919BC5DA0066F4DAE3AC6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007543919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}54964152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.881{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000007543914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:26.086{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56756-false10.0.1.12-8000- 354300x80000000000000007543913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.724{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56755-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007543912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:25.724{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56755-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 734700x80000000000000007543911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007543905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.766{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.750{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.739{4DF467A6-911C-613B-6A22-01000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.734{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5E5464734FE76C8105FD77D6C01F627,SHA256=7058E6FD4DD647E1470C56E66C23D9A8611FFF26B0C02100BCCFDB1F3A05E138falsetrue 11241100x80000000000000007543858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA0D2C31FFBFF928D87137291B595E,SHA256=12AA0CB802910A3FAF958D312C5BDC374E9D2C3B195FEA0BB94D528AAF6F382Cfalsetrue 534500x80000000000000007543856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007543854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}55163288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.251{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007543851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.131{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.130{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.130{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.129{4DF467A6-911C-613B-6922-01000000F001}5516\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.129{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007543845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007543814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007543808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.114{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:44.099{4DF467A6-911C-613B-6922-01000000F001}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:44.098{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DF7AE0C4850DCE3012619D241056E2B,SHA256=B1F5B87315F727CA1FE06EE9C7F4072DB870F6B97C41F0BE4E4736A2BB6937E6falsetrue 11241100x80000000000000007543983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007543982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AF4E0B1E3EA5F23DAB8930ED6BA2EC9,SHA256=FA493B913E8EBADCBD8104EE3AA0C296C7D165E9AD944EA40767225FC185BD1Dfalsetrue 534500x80000000000000007543981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007543979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007543978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.480{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007543977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1AD23434AC927E69B0246A9D356E69,SHA256=3880CD1AD0F6BE70FF0689980801F9C265C6441F296C75314991FC0DB575751Efalsetrue 23542300x80000000000000002131536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:45.527{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7893876D1B8F04FDC3425977FF5F9487,SHA256=C7AA77AC10D928EECD2325429485BB01A3F81B40706A16B97291AC875B07D4D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007543975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007543974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E01C2AE3498AB22466715253CE58D83,SHA256=ECCCD4655D2A28C0BD6A2A1CF7E3B97AFE051260FD42CE6C966A71A92E48523Dfalsetrue 734700x80000000000000007543973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007543972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007543971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007543970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007543968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007543967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007543966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007543965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007543964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007543963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007543962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007543961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007543960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007543959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007543958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007543957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007543956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007543955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007543954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007543953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007543952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007543951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007543950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007543949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007543948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007543947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007543946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.349{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007543945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007543944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007543943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007543942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007543941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007543940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007543939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007543938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007543937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007543936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007543930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.333{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.328{4DF467A6-911D-613B-6B22-01000000F001}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.328{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:45.327{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007543921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007543920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:45.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A42155F42979AED0CF56B371B0BD77F,SHA256=EFF7DC36CE2912BAFFE9FCC951BF22E3C2B163CA0B15982640759E826EE0C5BAfalsetrue 534500x80000000000000007544103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007544102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}43284924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.862{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007544099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED58C491E3E6C0DB885FA73E02817EE,SHA256=4635F531CC994543B6BF0BBDC93AA76E3E0EAD1361FF67565EFD7502DF145C93falsetrue 11241100x80000000000000007544097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.762{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007544096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.762{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007544095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007544091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007544089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.731{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.730{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007544057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.729{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.729{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.728{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007544052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.726{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.726{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.710{4DF467A6-911E-613B-6D22-01000000F001}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.709{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:46.530{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF17CDA781E80BA53CA70C16C72B0D2B,SHA256=5BFA6A64F9678E8647BC07840A61D4C20FBC145ACCADA882EB9A57FB7872C593,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66FCCF2F670BFC7B2F4F939177FCD694,SHA256=3FC49293ADAF62EDACB004BD9EF966796B899D8D4D3CEE473F0F7EDA8A01E409falsetrue 534500x80000000000000007544041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007544039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.163{4DF467A6-911E-613B-6C22-01000000F001}1308768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.148{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.148{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007544036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007544030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.032{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.031{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007543999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007543998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007543997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.030{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007543996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.029{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007543995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.029{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007543994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.027{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007543993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.027{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007543992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:46.011{4DF467A6-911E-613B-6C22-01000000F001}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007543991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007543987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007543986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:46.010{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 734700x80000000000000007544221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007544212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0123765B2D8362EF88F799E997BA404,SHA256=7DF99A192E3DFCC78660EA0ADA02F36550F489837E7CAB8AF406BD3756732F0Afalsetrue 734700x80000000000000007544210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007544202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007544189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007544181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007544176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.960{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.949{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007544167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D088F8060DD401E17477B4FF87F64E8,SHA256=F595320CC0B157528A1CF2356C0F25F9FC55D447DC3BC710E4B32700D2EC25C9falsetrue 11241100x80000000000000007544165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.945{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936B1309DACFFB51BFF768D1EDA0EA6B,SHA256=92A0447FAE6F0B3BDB6A06CDCAE3C337C160D841768D4C2747734A2CEF328FF6falsetrue 23542300x80000000000000002131538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:47.532{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4CA1E07A56F38554AF00BEC80D1962,SHA256=D17FE68FB9C4E31F21D08337AFACDDFAB2D8906CCC343E7182FC31F8FEA797F6,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007544163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.561{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007544159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007544158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007544157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007544156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007544154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007544153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007544151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007544150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007544149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007544148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007544147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007544142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007544141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007544140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007544139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007544137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007544136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007544134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007544133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007544130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007544129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007544128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007544126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.430{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007544125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007544124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007544122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007544121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.429{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.428{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.428{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007544117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.427{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.426{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.426{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007544112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.425{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.424{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:47.409{4DF467A6-911F-613B-6E22-01000000F001}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007544109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007544105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007544104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:08:47.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:48.534{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD26F9BE19554307BD023AA2A6D78EBA,SHA256=6D428CC0B9B765F2F516A905CDE85403D725F1C5441674CAA004DBB3D22F17C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264B835459C5F6F4315D72F030EEC833,SHA256=9A3FB20A38F5C49F510C7A23C0903E24A2011CAAC32BDE048B2A03648B496320falsetrue 354300x80000000000000007544226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:29.617{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56757-false10.0.1.12-8089- 534500x80000000000000007544225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.107{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007544224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.107{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.091{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007544222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:48.091{4DF467A6-911F-613B-6F22-01000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002131542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.536{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B2DEF765ADF01574F1F9623AA44D0E,SHA256=3F3969A0BC5C1B2020CC12D0F7D60BDEA7FB4F6F5E7888F802600B9E29CF7DDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E64B91FCC9E86F9954ADA3611301F8,SHA256=1CA403CD9C7D29AB249C7C5DE27CD8AB1B9B072D7D03F7ED0A6D1D8A52A282DDfalsetrue 23542300x80000000000000002131541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0550929716B359C9071F7D717279D69C,SHA256=0E608FB5D03A6C7FCBC524CE7001B9FBAAA2C3E0A05DC60064C24ACE364D0016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:49.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4615D9CB0306833F52A4CD6BE2D3DE,SHA256=4FFA36290CAC72364A60AEEBECBD545B3F271D59F8FF701440A0A3CB64663248,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:40.954{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62362-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:50.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D887B637B933101C4217367FF754C251,SHA256=9EE0346B30C75DC5FB068397C5F7BAA6989E3DA515262082570DF1C53C91E35B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.688{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=086AFF571B313D70C19258BB3A331344,SHA256=AC5EC6B7C583EBEF152C46028E23B3703D3449AA37C56EED75F2148B6F498F32falsetrue 11241100x80000000000000007544238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.588{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BDED77D91CB08122562A31562804703,SHA256=5E248D11CB83BEC797EAADB509ADA496C1AEFA6290D542CED9D28FA7FA830259falsetrue 11241100x80000000000000007544236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5FB6F5DD7D26D28905BC535E3CA18B52,SHA256=BB41DF739ABD72E483F21193C4BF7ECB6AFB46D89FFE708FCB5F4EC1B624793Cfalsetrue 11241100x80000000000000007544234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BA03B240540719B441ECB525E819620,SHA256=7F2E176C3A205FA18F4F6E0331A2E6C604D0322B4287215A4557E14238CB9018falsetrue 11241100x80000000000000007544232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:50.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66C22D9620A73BF3560F4639517525E,SHA256=515C56AB0E1BAF8254049AB7E9801C2A460DEAF3896CCF05328DAA7BAFBA86F5falsetrue 23542300x80000000000000002131545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:51.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527AF4E365F3F8BF05FA676F026C0A2,SHA256=C11A9804F7182B9E5FF067C11C9F0E43CBB386001D2D2645EE2D240B19D4C903,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:51.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:51.322{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B960BF07FCF035A43368AB472D18541,SHA256=E589221CB710FA5270F28F5154628A00AA77A56308FAD75A0C96B7876917AED0falsetrue 23542300x80000000000000002131546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:52.544{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA14D0D449885D5FAC223537FFDFFAB1,SHA256=3192198696190CD6C79A9850376EBCBC82A6AD6F062EEC63C31064AB0652081A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:52.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:52.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4584AAAB7411E5EE4395770B78DE5CAB,SHA256=F15DD7CA366B12272D44262A94E7AE11A11A9B9075F31B82018BCC11F5DCC24Dfalsetrue 354300x80000000000000007544243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:32.095{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56758-false10.0.1.12-8000- 23542300x80000000000000002131547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:53.561{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6399D96085749E0A6FCF63CFA50ABCED,SHA256=CF37CFB23560B4A5DE6D263F9BA7A1BF63EB0CE79412F110548FFABB86DF8754,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:53.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:53.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F32FC4A66044E691B684CBA22E8B91,SHA256=202523C4DB48D42FE40B25685069714BBDB59F8AC03B7D576E531090E31A933Cfalsetrue 11241100x80000000000000007544251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E33BDDC4754D137565B8A7A61E4F72F,SHA256=ABBBDA4FE186F58A62834C712E1CE37941319F810E82A72C1AE442FA415064CFfalsetrue 11241100x80000000000000007544249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:54.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FDFC65739C7DA3800500A70584B0EA,SHA256=0885EF813533E7823C1E5504672406B61754DB14E15520EC3A10F0BFE1070073falsetrue 10341000x80000000000000002131561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.678{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.663{AEE49BD1-9126-613B-991B-01000000F101}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:54.562{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5F45DEB54191CBA19EC97A3A716FC8,SHA256=58E3E1FB1B425DA61D5F8F2DBC6BEB13645DB10D82F0ED5A67E718B2144E5E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:46.951{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62363-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002131591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.832{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.828{AEE49BD1-9127-613B-9B1B-01000000F101}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.827{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2CE15071FF0AFFE46CF15D2DD139A5,SHA256=65A996CC36C22590DC5D0DFC235D38ED5BD8F25418810A9FDCE77BAB592CE9AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A0964964F5D2B1DFA4784DDE777ACA9,SHA256=C7D8CA37B9FC52ABFB33C18E3A3F68005423EDC5AA7674B6FD119ABB5FB57081falsetrue 11241100x80000000000000007544269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.934{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2A41BED325866447B7C69AF932FB1B4,SHA256=7FF667429B5680371590DA8FD0C77792C44F317E46B73D0046E49A1B665BC68Bfalsetrue 11241100x80000000000000007544267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65BC941C083533D09AAA99CDC09C9E2,SHA256=6EC526A8AB6B97899D6B8233508B7BED412CC2DF336A491C5E7F7ADC6AE7A7A2falsetrue 13241300x80000000000000007544265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000007544264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000007544263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007544262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007544261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000007544260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000007544259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000007544258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000007544257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000007544256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000007544255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000007544254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007544253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007544252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:08:55.450{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 10341000x80000000000000002131577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.331{AEE49BD1-9127-613B-9A1B-01000000F101}48006032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.210{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.195{AEE49BD1-9127-613B-9A1B-01000000F101}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93700BCB3F6C0FCDA03A35A7A70A63A2,SHA256=94F97BA4515B7E8C965461C60CF1C0D6BDBAA2A1CFF2C1C0EC38EC7D825777A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:55.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0550929716B359C9071F7D717279D69C,SHA256=0E608FB5D03A6C7FCBC524CE7001B9FBAAA2C3E0A05DC60064C24ACE364D0016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:56.864{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7870860CF3BF618AF5458D19807D0B06,SHA256=778605A9048E3CF15CF485DCBD9343E8AADB26203A0BA54D824A8589090CA67C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44831FD0716DD20970647AEA4ADB1BD,SHA256=487FFA6CB8390EA81B102EF3D43B98E0D73B468AC621F2301D75891743155EB7falsetrue 23542300x80000000000000002131593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:56.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93700BCB3F6C0FCDA03A35A7A70A63A2,SHA256=94F97BA4515B7E8C965461C60CF1C0D6BDBAA2A1CFF2C1C0EC38EC7D825777A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E769EADFB8777159D1F9FA67D46125,SHA256=B0DABF91BC7D1913CF812A427E5B024E1414CFB40D832BAFBF9AFD1ED4282F1Ffalsetrue 11241100x80000000000000007544273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:56.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50F6D2EE0B3436A652FAA7553F0704E,SHA256=25CAA40F37ACF89D2DD23A9966D6AC6A6C493FE0FEDDA63F1E3BF8A288501AAAfalsetrue 23542300x80000000000000002131595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:57.866{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3513D83C3983B34D41436EAE02BD4862,SHA256=BD1C8F04D18E3508C8CA11F46EC85CB69AA42E1280BA3E9791AF26D07B07F3F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:57.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:57.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B880604C6BF91B31B2C0A05A30BF3663,SHA256=9FC330532194D6BD1BEB1763E2BFD2BBD451401F4B320BDE18921F9218091AA1falsetrue 354300x80000000000000007544278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:38.087{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56759-false10.0.1.12-8000- 23542300x80000000000000002131596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:58.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AF4321769BE16CDF95BDD70ACF8520,SHA256=8142D12431849E3E3666BA8C97EC5EE02E0CCF6FF2F0C32E6DD7AAB8FA504CC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD66542B1E4D0DD4FDACB002694C403,SHA256=BACED5EDB434EE2FD50FCE3D817D12CB09935C6FA06D11741D39635A4CC71EDCfalsetrue 11241100x80000000000000007544282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.510{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007544281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:58.509{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC19234030EEEEBDF28264BFE7D654FB,SHA256=6125E4648B014808A574BB685D2D4D058E0320146776986FE03AA315A1C55050falsetrue 11241100x80000000000000007544286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.661{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C56E29EAC3D180CC9A7573B8FDAB231,SHA256=6DB17469DD928AD64E9DD12C477EB95B41E0A7C78AC845C58FAA0679F6E4D231falsetrue 23542300x80000000000000002131597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:59.917{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C0BDFE107A6F24820E45D5A167384F,SHA256=5DFAC0E466EE52921BDC11E9EC841C2413F5E7B371DBEFFFA80828CE035D1EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:00.919{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3173DD40747EA5C3E9F714D0C563B183,SHA256=B357403B9E9874E289A39650D5FB892A743E9633F18E196866B771FF0DEEF252,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D1DC8E06684CF21DBC39E9E5E80EA703,SHA256=C6F5BF5240B69342AAE1573A74A2E2442281E777348934E5ECE92356F697AC6Cfalsetrue 11241100x80000000000000007544292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CD583ACAA8650A57A861BD8332E036,SHA256=DCC5C55BEF11B14F79F3E90AA1CF417753FBF8204D9FFE7EEF4D98C8FC0D2844falsetrue 11241100x80000000000000007544290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB7C31012BAB018165FFE39215DD7965,SHA256=E9E7B3EC4037945D41F484233E1F974202B512F4FA414BF30676F0D690740AD6falsetrue 11241100x80000000000000007544288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:00.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9153D16DF0DCFE1E1358D889A7F2BD64,SHA256=2BB0BAEED87BA7572F7EB339DB277FB562722F9D9C64F925981E7DC9EEB6D57Efalsetrue 23542300x80000000000000002131598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:00.386{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1BB06B16BA66220C6445601DCA7558,SHA256=5AEFFD07FE5A7A71A357ECB93D652F2C20F4E2A60C7555CCD917FE8365C33F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:01.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085900A68987A929A6D672FB6AD19BB,SHA256=0480DA52333B329B3F20D04F66DB06A590030104431321DAC33032278F3B7254,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.707{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AD8AD7A7B08DBCF7550ABBA62303AE,SHA256=2235E0215FE273246FEAB26DAF9FE6BABE529D9F265AF407C8F133066ABD51ABfalsetrue 354300x80000000000000002131600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:51.958{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62364-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:02.975{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542358264AB0207EE4576AF8B7DF75EE,SHA256=1D49D3E2363B404D33C8A51B8917450880BB0CE6BBA12079B46B5420A7DD115B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043CDF3F1793C2D714F11131B88C7A80,SHA256=B18D26489E9E90807239118ABAA30C0D18F34D44F0D8A7EE01C87D1A2BE6FC29falsetrue 11241100x80000000000000007544300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E4E58EC4A23BA38C3472E08A6503BD4,SHA256=F315F97157752F96C5B0F4840279BFDF3E24D810ADC84992D241E58B934C9346falsetrue 11241100x80000000000000007544298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:02.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E769EADFB8777159D1F9FA67D46125,SHA256=B0DABF91BC7D1913CF812A427E5B024E1414CFB40D832BAFBF9AFD1ED4282F1Ffalsetrue 23542300x80000000000000002131603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:03.976{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A142BBAAFC4A735F544C004E0EA17819,SHA256=E285F87B3B5BAE31DD8716E9962EEAC8D61485F3361E3781FFE150DB2B5DD594,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B322656F701D01A04D9FA378D7012F42,SHA256=C8DF7BFD0F04CC895A471714CBEE6C07DD6F02F2508E01575CE31DD0CEA1B36Dfalsetrue 354300x80000000000000007544303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:43.997{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56760-false10.0.1.12-8000- 23542300x80000000000000002131604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:04.978{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D81B7B2FEC46E908762D1C9CC17A1F2,SHA256=212086B879587B95022CF415957EFC29CF4AAD159F5D819E20BAED4A81C4174D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED94C9EA3F715A06BB80741BE72A49,SHA256=749DA26D364692ECEB3F8C66D9313BDEABA23F7BB9539E3DE4406CCDC51B4163falsetrue 11241100x80000000000000007544307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E4E58EC4A23BA38C3472E08A6503BD4,SHA256=F315F97157752F96C5B0F4840279BFDF3E24D810ADC84992D241E58B934C9346falsetrue 23542300x80000000000000002131606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:05.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD15C06F8EA904C7BB6250484D6AA15,SHA256=BB864721700DFC6BFCF157FEED1494BE53007DBABE7ED6025AD96C2CCE106110,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC6A97248EE390165BD6CB441F9A68DC,SHA256=30E36C5BFD0C09E375F6A1A402FC74F49F934F204B36702850408FB6556232C5falsetrue 11241100x80000000000000007544315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1A26BBFE12792D947D2321C5DF001BC,SHA256=58D604FD8F1449330B8DF47D23B56BC306B821E11A6430B463E0F2102840A7DEfalsetrue 11241100x80000000000000007544313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.919{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCCB4679CD4F45D2218E4E6626D888A,SHA256=81ED2D39B1632DB4EC0E8355894573B367E4D68005EEC0EAAB48E5A9BB28F713falsetrue 23542300x80000000000000002131605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:05.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524F7401F5EFF7BCE6D89700F44E0D10,SHA256=E42FB02D0C22BDD4B3A204C485EFCFDB4A26D10113836D05ED6C0912E8056F88,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.305{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:05.305{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=703A6B3E766FA770B40441D89CAED1F4,SHA256=A24A3C3803490E54FF1651C3E7A67D243CBA564314596A6877270D81E88DFD10falsetrue 11241100x80000000000000007544319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:06.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:06.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9697C155B9CBBDB9933A11D5F032049A,SHA256=4059CCCFA36FB8C64B87AC5698C24F3EDF926683EF3B29BFE289F07E7FB6B62Ffalsetrue 354300x80000000000000002131607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:08:57.031{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62365-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007544324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB4BF7364E06930D683DD623D938A0B,SHA256=91FDAD4C79F6F2CD57C73704FF69DF0146141CE5FD175C491E69284721669660falsetrue 354300x80000000000000007544322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:49.005{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56761-false10.0.1.12-8000- 11241100x80000000000000007544321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.165{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317FFF2CF0160A484498200FE8F22C63,SHA256=77092AAA99EF08947C2FE472BEBEC98F5881BF73579A57A3E6E288E0BBEA8603falsetrue 10341000x80000000000000002131621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.930{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.915{AEE49BD1-9133-613B-9C1B-01000000F101}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:07.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E554AB329704B97A519BCDB68C4272,SHA256=2002817AE1D5F6890761F3A89AE01EC86606B95499DCAB72A09FE7EB026987A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.750{AEE49BD1-9134-613B-9D1B-01000000F101}39644276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.615{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.600{AEE49BD1-9134-613B-9D1B-01000000F101}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002131623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.052{AEE49BD1-9133-613B-9C1B-01000000F101}632908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEAC4631D72E16FEDB39A38E1C342F3,SHA256=DDEEB7068A5080D3195A212B748DA834930D5FA4D5AEA5D1A720FB4B113B9E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.430{AEE49BD1-9135-613B-9E1B-01000000F101}40084780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.314{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.299{AEE49BD1-9135-613B-9E1B-01000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.051{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CD2E7186B9DCACDBE43251D97C77FD,SHA256=5E1DEEC46AC934950A321AEA9A1242DB43F0378153C47CE4F3D65A9AC2FB9484,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA535A04CCA1EBBBE281CC69D1CAF19,SHA256=58EC73BAB6E1961A4FCAE97421D091D1765EE47FFD38FAF3272F643D91859854falsetrue 11241100x80000000000000007544326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:09.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0EAA5B6F63AEBA200143DD7F0F2A59,SHA256=0DC08356ED2C4FCDC6DB79B04359624AB033B1C1B114488D494810E581EEC242falsetrue 23542300x80000000000000002131638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:09.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE18800478903655FDDD097EEFC5B30,SHA256=D8F80CFD20FCB957E6B21A318FEDDB8A4042370748DCC082C9B871C9F12108F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:10.350{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC85D17C3B852D6EB9A1C6FBEBCC5C3,SHA256=D0F9678FAD8895D44C6E74447B78FE025122CD07A24E7460C50C2F63727F1ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:10.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649631B2D3271174576E5FEE06745562,SHA256=CB4B782DEA5EC93A52C6883F8893FDC86E93013C48E769627E1C2E4949A4BFD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E251F154D9FCF1B2BC13A5D5C13DF717,SHA256=D5395D639FA32132CB391FFF37E06EA6685C93A8BDA09CC93CCBE7303D067B35falsetrue 11241100x80000000000000007544330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:10.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C72F0FA4655825A8A40E6B57E4698B8,SHA256=C5F0184611D771EDCD984E4A90E488B88B2D8D3E23F10A29C1C8FF180993CDE1falsetrue 11241100x80000000000000007544338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.192{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F94923EFFC812777E9147A653DC3107,SHA256=FB9FD2C7408002034CFBD78F571185C53872E8F305D45D684CFBEF9383F8F174falsetrue 11241100x80000000000000007544336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007544335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99795DBA30C23E08F22AE2FA0CA63D6D,SHA256=7660C5428AB22F2EF91298B4BDBAE29AA97793D5EEF5C43F697D7E97515B739Ffalsetrue 11241100x80000000000000007544334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.174{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CEADA1F2CAB0934D2F0818BB74DB15,SHA256=776D6738333B86E9E826DFC7F0147914D7355377383E9B83DC868738D3EA4B80falsetrue 23542300x80000000000000002131657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:11.617{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:11.100{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E267D20919F6A251D8D424DD6CB39DB8,SHA256=D989120C4C519AA3E6EC1BE25DD9F0FC12DB6D4BA2B709FBBF28D4946013E81D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9099ECA500690DE41A8359743DABD7F3,SHA256=FD3341498F687C998A0F55F8BD1F9D83F502E994A70574A10EACED4741AEFBA8falsetrue 23542300x80000000000000002131661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.737{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9917MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.620{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20486D12F1741635C93A622923B9F71B,SHA256=4A3EFAA2423593D4745FAAD4D70F796BB570C83E0823D0E2F64ADEE9503CF465,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:02.873{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62366-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:12.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9776156840A5793851677F5A32B7C5F,SHA256=0FF6778AC9EE19768EC2540214959ADCFDB08AB3E60D9B545031D030849DB200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007544372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.010{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007544380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.042{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56762-false10.0.1.12-8000- 354300x80000000000000007544379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:55.005{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse75.174.156.221-53964-false10.0.1.14win-dc-291.attackrange.local3389ms-wbt-server 11241100x80000000000000007544378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFE5AC7E2F53F1B1E77F51266A3E26,SHA256=AAD630724BDAA7D87D7CF0CC5185A0987C37F63CCA1BD1D1ECD8E381AED6D901falsetrue 23542300x80000000000000002131664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:13.737{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9918MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:04.406{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62367-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:13.105{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D035F4596034CB4E7A0153B798E1F86,SHA256=69F3888A31F7070720E1E286914AAB67E6F3FDB76DEF4B55ADC258422BB374AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007544376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007544375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A77D606A2105339A52673F3952A78099,SHA256=20C43F3FFFFDB01815A2DDD62839C7E1B1C4CEA584C26D87F1A8C0AF0D10C4E5falsetrue 23542300x80000000000000002131665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:14.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6D8FBC2B0C75C93240B5A4B3131AE5,SHA256=94576D035EC8ABC79894D472102B00357FA7742F1E897DDFEA979D498984AA59,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007545782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=EFA3E8A9CBD2C00E0F42A5958D993F11,SHA256=C561557BE94BA4F8EE12FE3C13922A0729A6B462DF82D4A4D7941516367209CBtrueMicrosoft WindowsValid 12241200x80000000000000007545778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.990{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.989{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.969{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007545756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.969{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007545755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 11241100x80000000000000007545754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007545753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83385DE66101DB79AEC36C5058ACCB92,SHA256=C95F2E5DD9EC97E0D3F2EEAC4BF46403FDB04E77B4612FEE7B01B5E1D9427D0Cfalsetrue 12241200x80000000000000007545752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 12241200x80000000000000007545750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007545742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000007545741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 12241200x80000000000000007545734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 12241200x80000000000000007545724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007545723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007545722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007545721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007545720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007545716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ism32k.dll-----MD5=2D64FFE4D9D69749DAE22929EAF7C0E3,SHA256=DE4B60F73BE4265C83E68C80B984F5B06B69DB281E4F1365DBBAFB9D9366D9B1trueMicrosoft WindowsValid 12241200x80000000000000007545715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.953{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.786{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 12241200x80000000000000007545691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007545678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 12241200x80000000000000007545677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.937{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000007545667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBE7508557E1398460A3D748DAC5DA7,SHA256=2186C187B678D3BB09D2282D479B77E0067D6F2407054617710DCFDDC7663C59falsetrue 734700x80000000000000007545666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.937{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 734700x80000000000000007545665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x80000000000000007545664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 734700x80000000000000007545663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007545662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007545661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.922{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000007545660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.922{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmghost.dll10.0.14393.0 (rs1_release.160715-1616)DWMGhostMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMGhost.DLLMD5=E90480135CCF153367927193360E1704,SHA256=1E38DCCFBB4E3F7A97ACF9B8F35A27EDA314779E17951B62915BFEF2C4FE1905trueMicrosoft WindowsValid 12241200x80000000000000007545658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 12241200x80000000000000007545631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.906{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4trueMicrosoft WindowsValid 12241200x80000000000000007545607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.906{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000007545601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4trueMicrosoft WindowsValid 12241200x80000000000000007545576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.890{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.889{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 12241200x80000000000000007545551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Winlangdb.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Bcp47 Language DatabaseMicrosoft® Windows® Operating SystemMicrosoft CorporationWinlangdb.dllMD5=50E4D5039A8CDC4A6B540FCA4584CDBD,SHA256=AEF4A7FDBF3D97CAA5750A3779246AF5E562176179153B356689A0E3FC5BB444trueMicrosoft WindowsValid 12241200x80000000000000007545526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.869{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmcore.dll10.0.14393.3297 (rs1_release_1.191001-1045)Microsoft DWM Core LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationdwmcoreMD5=03C407A9E53E7F5B008408EE7DD98C49,SHA256=128569219AE53C10BBF6630E2CEF5CAEE94EEE53D149EAB67B8FE527C77C73F5trueMicrosoft WindowsValid 12241200x80000000000000007545499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 10341000x80000000000000007545472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000007545470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.853{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000007545469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x80000000000000007545468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000007545464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 12241200x80000000000000007545459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.837{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.XamlHost.dll10.0.14393.4169 (rs1_release.210107-1130)XAML HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.XamlHost.dllMD5=3EF300C64E57C482FEC2A62454CC45BC,SHA256=CED0EEE32D019EAF1BE70190B87FA9858054DEE20DE77EF0BDC67C2B8B0DD669trueMicrosoft WindowsValid 12241200x80000000000000007545437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.822{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 12241200x80000000000000007545410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007545376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\uDWM.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationudwm.dllMD5=92156F4F346EEF68A638B377310E5A44,SHA256=1ACA1754494BC261C5AE9891F3CDFE9A9060D1F882858B9087E6365C9572D360trueMicrosoft WindowsValid 12241200x80000000000000007545375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000007545363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000007545362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.806{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 12241200x80000000000000007545361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.806{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630trueMicrosoft WindowsValid 12241200x80000000000000007545357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.790{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007545333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007545332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.790{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CE24FEF4E2748819D016BFBD6D7C9B,SHA256=99782236615CBF7DFC205F83A4736DEFCA8601A86BB75633768D8A746D7CDCDCfalsetrue 11241100x80000000000000007545331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 12241200x80000000000000007545330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.787{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exeHKCR 23542300x80000000000000007545329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BEA52FF633D7A26A1D07E87115C54EC4,SHA256=97E89E836CD1966DBE405C511C5DCE1B71187E82294166E406AF3574C305FE98falsetrue 12241200x80000000000000007545328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.787{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.786{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007545326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 12241200x80000000000000007545325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 23542300x80000000000000007545324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.785{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10D350C6F2C090B48BBEFC4513F8505A,SHA256=F6B7BC02B11DC7781C57BF858B1E5A3DBB3A352827455A976DA8EF384859A718falsetrue 734700x80000000000000007545323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmredir.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Desktop Window Manager Redirection ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmredir.dllMD5=05B2A35A72410F77A402FA5B76CF2086,SHA256=13F6D45C49526D75A2E781E59E0C73DF7774579BEF684782B5A283926F8D390EtrueMicrosoft WindowsValid 12241200x80000000000000007545322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.785{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.784{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.784{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Logon.dll10.0.14393.4467 (rs1_release.210604-1844)Logon User ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Logon.dllMD5=1F387C61960B104EBAEFDFC3B97BB9F2,SHA256=DC1EE4F165BEF4E712E4F29C0CED9376288100433F3C8557B36117B8BAEE6CADtrueMicrosoft WindowsValid 12241200x80000000000000007545295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 10341000x80000000000000007545271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.769{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\100000409 12241200x80000000000000007545266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\1 13241300x80000000000000007545265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007545264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayoutDWORD (0x04090409) 13241300x80000000000000007545263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007545262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007545261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.769{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 13241300x80000000000000007545256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409DWORD (0x00000001) 10341000x80000000000000007545255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000007545252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007545251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007545250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007545249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007545248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007545245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007545244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007545243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 12241200x80000000000000007545242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 13241300x80000000000000007545241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowShiftLockDWORD (0x00000001) 13241300x80000000000000007545240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowCasingDWORD (0x00000001) 13241300x80000000000000007545239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\0000000000000409 12241200x80000000000000007545238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007545237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 12241200x80000000000000007545236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 13241300x80000000000000007545235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\LanguagesBinary Data 12241200x80000000000000007545234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 10341000x80000000000000007545233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007545231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007545230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007545229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.753{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401trueMicrosoft WindowsValid 13241300x80000000000000007545228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName@Winlangdb.dll,-1121 12241200x80000000000000007545227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007545226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile 734700x80000000000000007545225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DDtrueMicrosoft WindowsValid 734700x80000000000000007545224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007545223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x80000000000000007545222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007545220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x80000000000000007545219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 10341000x80000000000000007545218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007545213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007545212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007545211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007545210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007545209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007545208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007545207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007545206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007545205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007545204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenuDWORD (0xffc67500) 13241300x80000000000000007545203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenuDWORD (0xff995a00) 12241200x80000000000000007545202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007545201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPaletteBinary Data 12241200x80000000000000007545200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007545199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007545198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007545197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007545196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007545195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007545194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007545193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007545192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 734700x80000000000000007545191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000007545190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000007545189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007545184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000007545183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000007545179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exeMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408trueMicrosoft WindowsValid 12241200x80000000000000007545178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.738{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000007545161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 12241200x80000000000000007545159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000007545156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000007545132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007545130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007545129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007545128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007545127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007545126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007545125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007545124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007545123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000007545122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007545120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.722{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007545118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 12241200x80000000000000007545116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.722{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-913A-613B-7122-01000000F001}62123836C:\Windows\system32\csrss.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007545092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-913A-613B-7222-01000000F001}74766744C:\Windows\system32\winlogon.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007545091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.719{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{4DF467A6-913A-613B-9EB5-EB0C00000000}0xcebb59e3SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exewinlogon.exe 12241200x80000000000000007545090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 12241200x80000000000000007545085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.706{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 12241200x80000000000000007545057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonController.dll10.0.14393.4169 (rs1_release.210107-1130)Logon UX ControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationLogonController.dllMD5=EEFFA85317E0C7483D747B7C0F20ED38,SHA256=6DC57621059816648A4D438874A29C3F697A86EFC8B04E2945F2C74733DB28A5trueMicrosoft WindowsValid 12241200x80000000000000007545035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007545012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.706{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007545011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.706{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 734700x80000000000000007545010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 10341000x80000000000000007545009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}67004992C:\Windows\system32\LogonUI.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007545008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\IdleTimeDWORD (0x00000000) 12241200x80000000000000007545007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI 12241200x80000000000000007545006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3 13241300x80000000000000007545005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\BootLogonDWORD (0x00000000) 12241200x80000000000000007545004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData 734700x80000000000000007545003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000007545002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007545001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000007545000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007544999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007544998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007544996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000007544995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000007544993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.691{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007544991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.691{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exeMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5trueMicrosoft WindowsValid 734700x80000000000000007544988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.690{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000007544987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.690{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.688{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007544963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.688{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.687{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007544959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.686{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007544958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.684{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.684{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007544954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007544950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007544945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007544943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007544941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\dwminit.dll10.0.14393.2273 (rs1_release_1.180427-1811)DWMInitMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMInit.DLLMD5=2F84B6415D918374A67E50BCE01C3CA2,SHA256=D6A64DE0BFDD504D9C57760F8847EEB3F637774D958BD9D52F000B66EB2AD9D2trueMicrosoft WindowsValid 12241200x80000000000000007544940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 10341000x80000000000000007544918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7122-01000000F001}62123836C:\Windows\system32\csrss.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007544916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}74764272C:\Windows\system32\winlogon.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007544913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.671{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3884055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000007544912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 13241300x80000000000000007544910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3884055Binary Data 12241200x80000000000000007544909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LastLoggedOnProvider 12241200x80000000000000007544908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUserSID 12241200x80000000000000007544907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUser 12241200x80000000000000007544906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnSAMUser 12241200x80000000000000007544905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\DWM\DwmInitSessionActivityId_000000036BFE35A5-A0D8-0002-ACFD-026CD8A0D701 12241200x80000000000000007544903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.669{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows\DWM 10341000x80000000000000007544902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.669{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007544899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeNameNormalSize 12241200x80000000000000007544898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorNameNormalColor 12241200x80000000000000007544896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName%%SystemRoot%%\resources\themes\Aero\Aero.msstyles 12241200x80000000000000007544894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedPPI96 12241200x80000000000000007544892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPIPlateaus1 12241200x80000000000000007544890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI96 12241200x80000000000000007544888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID1033 12241200x80000000000000007544886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore1 12241200x80000000000000007544884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007544883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive1 12241200x80000000000000007544882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 12241200x80000000000000007544881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007544877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\UXInit.dll10.0.14393.0 (rs1_release.160715-1616)Windows User Experience Session Initialization DllMicrosoft® Windows® Operating SystemMicrosoft CorporationUXINIT.DLLMD5=3803D95BBCB88A09B1F4043F77B0A52C,SHA256=C7B7522CA9BA3F683ADCFB20AE30533B34E4FC91BEDD283E93D0B733E6B97049trueMicrosoft WindowsValid 12241200x80000000000000007544876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000007544856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007544854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 734700x80000000000000007544852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 10341000x80000000000000007544851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007544850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager 12241200x80000000000000007544848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.653{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.653{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 13241300x80000000000000007544845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 734700x80000000000000007544844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 734700x80000000000000007544843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 13241300x80000000000000007544842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayoutDWORD (0x00000000) 13241300x80000000000000007544841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile(Empty) 13241300x80000000000000007544840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID(Empty) 12241200x80000000000000007544839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.638{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession 13241300x80000000000000007544838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.622{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\LastBootTimeFontCacheStateDWORD (0x00000002) 11241100x80000000000000007544837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007544836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA3045A889DC72F96641EEF0DF275AF,SHA256=7A5CE6B7522A8B31DA5EA5F28C7C223CA3789C2238F915E3FC65A5D00B7D0960falsetrue 734700x80000000000000007544835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 12241200x80000000000000007544834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayoutDWORD (0x00000000) 13241300x80000000000000007544807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile(Empty) 13241300x80000000000000007544806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID(Empty) 12241200x80000000000000007544805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Software\Microsoft\CTF\RemoteSession 734700x80000000000000007544804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007544803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007544802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007544801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007544800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.569{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x80000000000000007544799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007544798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007544797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007544796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.553{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 13241300x80000000000000007544794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.553{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007544793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.553{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007544792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\HARDWARE\DEVICEMAP\VIDEO\\Device\Disc\REGISTRY\Machine\System\CurrentControlSet\Services\TSDDD\Device0 12241200x80000000000000007544791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\HARDWARE\DEVICEMAP\VIDEO 10341000x80000000000000007544790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.538{4DF467A6-913A-613B-7122-01000000F001}62127604C:\Windows\system32\csrss.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x80000000000000007544789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007544787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9trueMicrosoft WindowsValid 12241200x80000000000000007544786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007544757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\sxssrv.dll10.0.14393.3630 (rs1_release.200407-1730)Windows SxS Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationsxssrvMD5=6544F8B9914C8EF44FFD2965D6D6C4DE,SHA256=B9FB6A183039AD35C0BE6D0DEBCB4618E15CF17D385E4886ED457DA23B31AB8BtrueMicrosoft WindowsValid 12241200x80000000000000007544756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007544738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass\\Device\PointerClass20\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mouclass 12241200x80000000000000007544737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass 13241300x80000000000000007544736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 12241200x80000000000000007544733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum 13241300x80000000000000007544732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.438{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 12241200x80000000000000007544729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007544728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Device Parameters\IdentityBinary Data 13241300x80000000000000007544727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007544726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007544725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007544724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007544723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007544722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007544717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 13241300x80000000000000007544714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007544713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007544712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 13241300x80000000000000007544711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass\\Device\KeyboardClass20\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbdclass 12241200x80000000000000007544710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass 13241300x80000000000000007544709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007544708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007544707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 12241200x80000000000000007544706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum 13241300x80000000000000007544705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007544704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000007544703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 12241200x80000000000000007544702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007544701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Device Parameters\IdentityBinary Data 13241300x80000000000000007544700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007544699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007544698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007544697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007544696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007544695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007544692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007544690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007544689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 12241200x80000000000000007544687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007544686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007544685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007544684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007544683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 10341000x80000000000000007544681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x80000000000000007544678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007544675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\winsrv.dll10.0.14393.3686 (rs1_release.200504-1524)Multi-User Windows Server DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsrv.dllMD5=7BD8CD73F08B93E856BA2F7E6E93F6D0,SHA256=994340D9BF1DBE04F33544DC8FC4B1F72695AD5054F3409AA5F26743070DE55BtrueMicrosoft WindowsValid 10341000x80000000000000007544674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 12241200x80000000000000007544656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000007544654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKCR 12241200x80000000000000007544653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007544651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007544650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007544649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007544648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007544647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007544646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007544645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007544644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007544643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007544640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007544639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007544638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007544637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 534500x80000000000000007544636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe 10341000x80000000000000007544635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7022-01000000F001}62885148C:\Windows\System32\smss.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007544634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.422{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000124 0000007c 12241200x80000000000000007544633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007544632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\basesrv.dll10.0.14393.2969 (rs1_release.190503-1820)Windows NT BASE API Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationbasesrvMD5=E57547B04ECB8873391616364E94B1FD,SHA256=6A17093974B9F90EC0C18208DD620E63656C86027B2C26EEB05F0606584AAFA2trueMicrosoft WindowsValid 12241200x80000000000000007544631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007544601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\csrsrv.dll10.0.14393.187 (rs1_release_inmarket.160906-1818)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSrv.DLLMD5=F1E2170B311D75405C53DFDFBDB6DC01,SHA256=346BBAB08F552E1DDBAD73DDDFC667CE211410C06CDF84C85E12B7CFC579E7C8trueMicrosoft WindowsValid 12241200x80000000000000007544600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007544596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-3F3E-6132-0200-00000000F001}3203940C:\Windows\System32\smss.exe{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x80000000000000007544595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007544581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007544580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.ExeMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165EtrueMicrosoft Windows PublisherValid 12241200x80000000000000007544576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007544553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableRemoteFontBootCacheDWORD (0x00000000) 13241300x80000000000000007544552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\ServicingStackModifiedFontsDWORD (0x00000002) 12241200x80000000000000007544551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007544550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000007544543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000007544542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007544539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exeMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7trueMicrosoft Windows PublisherValid 12241200x80000000000000007544538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007544531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000007544530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007544524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007544523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000007544522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-3F48-6132-1400-00000000F001}10564028C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007544521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007544520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.407{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000007544519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000007544518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000007544517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000007544516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000007544515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000007544514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007544513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007544512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007544511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000007544510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007544509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007544508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007544507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000007544506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000007544505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007544504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007544503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007544502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000007544501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007544500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007544499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007544498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust 12241200x80000000000000007544497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust 12241200x80000000000000007544496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.407{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000007544495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000007544494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000007544493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000007544492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000007544491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007544490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007544489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007544488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007544486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007544485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007544484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007544481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007544480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007544479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007544477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007544476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007544475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007544473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000007544472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000007544471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000007544470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot 734700x80000000000000007544469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007544468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000007544467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000007544466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000007544465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000007544464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000007544463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000007544462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000007544461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000007544460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000007544459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000007544458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000007544457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000007544456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000007544455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000007544454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 10341000x80000000000000007544453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}62885148C:\Windows\System32\smss.exe{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007544452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.405{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000124 0000007c 12241200x80000000000000007544451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000007544450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000007544449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000007544448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000007544447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000007544446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000007544445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000007544444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000007544443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000007544442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000007544441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root 12241200x80000000000000007544440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root 12241200x80000000000000007544439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007544438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007544437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007544436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007544434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007544424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 13241300x80000000000000007544420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Win32kWPP\Parameters\WppRecorder_TraceGuid{3374f1c0-597f-4aa1-b2c2-12789d9c8c3f} 12241200x80000000000000007544419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007544418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007544417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007544415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000007544414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000007544413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000007544412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000007544411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000007544410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007544409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007544408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007544407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000007544406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007544405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007544404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007544403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007544402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007544401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007544400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007544399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007544398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000007544397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007544396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007544395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007544394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA 12241200x80000000000000007544393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA 13241300x80000000000000007544392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\DeviceKindDWORD (0x00000000) 12241200x80000000000000007544391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC 13241300x80000000000000007544390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 12241200x80000000000000007544389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC 13241300x80000000000000007544388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 12241200x80000000000000007544387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Tablet PC 12241200x80000000000000007544386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeHKLM\SOFTWARE\Microsoft\TouchPrediction 10341000x80000000000000007544385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-3F3E-6132-0200-00000000F001}3203940C:\Windows\System32\smss.exe{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x80000000000000007544384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:14.391{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007544383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007544382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.391{4DF467A6-3F3E-6132-0200-00000000F001}3203940C:\Windows\System32\smss.exe{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007544381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.338{4DF467A6-913A-613B-7022-01000000F001}6288C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000124 0000007c C:\Windows\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7{4DF467A6-3F3E-6132-0200-00000000F001}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000007547564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.985{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.985{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.936{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.936{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.936{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.936{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007547558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.936{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 17141700x80000000000000007547557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:15.936{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007547556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.936{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000007547555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.936{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007547554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.936{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000007547553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.889{4DF467A6-4446-6132-EC05-00000000F001}17643796C:\Windows\system32\csrss.exe{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007547552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.889{4DF467A6-4446-6132-EC05-00000000F001}17643796C:\Windows\system32\csrss.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000007547551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass\\Device\PointerClass21\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mouclass 12241200x80000000000000007547550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\PointerClass 13241300x80000000000000007547549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007547548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007547547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 12241200x80000000000000007547546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum 13241300x80000000000000007547545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007547544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000007547543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 12241200x80000000000000007547542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007547541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Device Parameters\IdentityBinary Data 13241300x80000000000000007547540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007547539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007547538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007547537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007547536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007547535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007547534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007547533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007547532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007547531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007547530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.889{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007547529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 13241300x80000000000000007547528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007547527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007547526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 13241300x80000000000000007547525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass\\Device\KeyboardClass21\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbdclass 12241200x80000000000000007547524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.888{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\HARDWARE\DEVICEMAP\KeyboardClass 13241300x80000000000000007547523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007547522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007547521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 12241200x80000000000000007547520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum 13241300x80000000000000007547519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007547518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000007547517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 12241200x80000000000000007547516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007547515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Device Parameters\IdentityBinary Data 13241300x80000000000000007547514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Device Parameters\NodeIDBinary Data 13241300x80000000000000007547513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9\(Default)Binary Data 12241200x80000000000000007547512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4}\03E9 12241200x80000000000000007547511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{824ed685-f9cc-4bb0-bee3-e1245638b2b4} 13241300x80000000000000007547510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006\(Default)Binary Data 12241200x80000000000000007547509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007547508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 12241200x80000000000000007547507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0006 12241200x80000000000000007547506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007547505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers 12241200x80000000000000007547504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} 12241200x80000000000000007547503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 13241300x80000000000000007547502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)Binary Data 12241200x80000000000000007547501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 12241200x80000000000000007547500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.887{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 23542300x80000000000000007547499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.867{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=B438F6D8BED6951D154C9DFC0EC7FB77,SHA256=09ABE5C053F8A79664DA4D6A665A97656B7EED5E9F09EEE121104F4BF58CE0FCfalsetrue 734700x80000000000000007547498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007547497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 18141800x80000000000000007547496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.852{4DF467A6-3EE5-613A-21FA-00000000F001}2428\srvsvcC:\Windows\explorer.exe 12241200x80000000000000007547495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x80000000000000007547491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007547470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007547469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007547467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x80000000000000007547466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007547443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007547442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007547441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x80000000000000007547440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.852{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 12241200x80000000000000007547437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop 13241300x80000000000000007547436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop\UserPreferencesMaskBinary Data 12241200x80000000000000007547435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop 13241300x80000000000000007547434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop\SmoothScrollNo 12241200x80000000000000007547433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop 13241300x80000000000000007547432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\Remote\2\ThemeActive0 12241200x80000000000000007547431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\Remote\2 13241300x80000000000000007547430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Remote\2\TaskbarAnimationsDWORD (0x00000000) 12241200x80000000000000007547429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Remote\2 13241300x80000000000000007547428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop\WindowMetrics\MinAnimate0 12241200x80000000000000007547427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop\WindowMetrics 12241200x80000000000000007547426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel\Desktop 12241200x80000000000000007547425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2\Control Panel 12241200x80000000000000007547424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote\2 12241200x80000000000000007547423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.852{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Remote 12241200x80000000000000007547422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.836{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007547420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.836{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007547416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007547415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007547414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007547413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007547412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007547411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007547410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007547409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.820{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007547408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.805{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007547407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.805{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007547406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.805{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007547405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.805{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007547404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.805{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007547403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.789{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007547402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.789{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007547401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.787{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007547400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.767{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007547399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.767{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007547398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.752{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007547397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.752{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007547396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26EtrueMicrosoft WindowsValid 12241200x80000000000000007547393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.736{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exeC:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464trueMicrosoft WindowsValid 10341000x80000000000000007547370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.736{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007547369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.736{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007547368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.708{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 12241200x80000000000000007547367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.437{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\FontGlyphAnimator.dll10.0.14393.4169 (rs1_release.210107-1130)Font Glyph AnimatorMicrosoft® Windows® Operating SystemMicrosoft CorporationFontGlyphAnimator.dllMD5=3179BAF869C1815F2A39438DD5EFD620,SHA256=7A89DD1B6F0DCF16AF14A03EA04718DAAD8FE01E97C61933BD81E6371251AA31trueMicrosoft WindowsValid 12241200x80000000000000007547361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.736{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.437{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\System32\svchost.exeC:\Windows\System32\pnpts.dll10.0.14393.0 (rs1_release.160715-1616)PlugPlay TroubleshooterMicrosoft® Windows® Operating SystemMicrosoft Corporationpnpts.dllMD5=FFA44FD7FEDA32632E8CE84AD0F9101B,SHA256=2A0746A7876C1A430F9C9A5BE4BE28CAA2FF4F73477651AE5CC74462278F333BtrueMicrosoft WindowsValid 12241200x80000000000000007547335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\ScDeviceEnum.dll10.0.14393.2273 (rs1_release_1.180427-1811)Smart Card Device Enumeration ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationScDeviceEnum.dllMD5=32114341105710A1256AA6F040203FC4,SHA256=02281575F40879B826214431C75410D7B09FDAACFFF2469A3FB00B62DC57CE64trueMicrosoft WindowsValid 12241200x80000000000000007547308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007547283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219trueMicrosoft WindowsValid 12241200x80000000000000007547282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.721{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104CtrueMicrosoft WindowsValid 12241200x80000000000000007547254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1700-00000000F001}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.168{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfsensorgroup.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Sensor Group DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfsensorgroup.dllMD5=7CB78A0BF4D6AEA6A4C367DFC7645CD0,SHA256=5504F29CAE19AF9A98D65508A350F518AEA1C66235029B1881CA765146E92D99trueMicrosoft WindowsValid 12241200x80000000000000007547226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007547207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007547205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.705{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.705{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.168{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6trueMicrosoft WindowsValid 12241200x80000000000000007547187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007547164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.168{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Media.dll10.0.14393.4467 (rs1_release.210604-1844)Windows Media Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Media.dllMD5=D99A463FD833B801A943698AC8AF81EB,SHA256=224405AC2CEFCFBB5E2AE3D98E9A5895BB2C39C128759E2FBCC3E84335E4E6D9trueMicrosoft WindowsValid 12241200x80000000000000007547163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.689{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007547140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 12241200x80000000000000007547139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 12241200x80000000000000007547138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 13241300x80000000000000007547137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007547136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000007547135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 12241200x80000000000000007547134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum 13241300x80000000000000007547133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x80000000000000007547132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x80000000000000007547131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 12241200x80000000000000007547130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.636{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 12241200x80000000000000007547129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46trueMicrosoft WindowsValid 12241200x80000000000000007547123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886EtrueMicrosoft WindowsValid 12241200x80000000000000007547097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007547072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BCtrueMicrosoft WindowsValid 12241200x80000000000000007547071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.621{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007547044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\rtutils.dll10.0.14393.4583 (rs1_release.210730-1850)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=855435B90CAA474B805CE939C5455B6D,SHA256=91F6512935F9B8E18FF864C0F0591AE1F81F786D4447A864774A41275F27C0BDtrueMicrosoft WindowsValid 12241200x80000000000000007547043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007547018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\rasplap.dll10.0.14393.4283 (rs1_release.210303-1802)RAS PLAP Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationRasCredProvMD5=3F09354D09FC8331BB5F8B1D1ECB4503,SHA256=EA48272DF75B81FC14CFCF7CF2FA11E3CE921E18FD5B1FC475C1231C3CBD520FtrueMicrosoft WindowsValid 12241200x80000000000000007547017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.605{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\wlidcredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Account Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWlidCredProvider.dllMD5=BFDFA8D6CE74D72FC3CAC3E8B6D05FB7,SHA256=172538FF3768FA97A54D4B33B7E3253F568013DF9F8102E023DEFF4CA44B2BBCtrueMicrosoft WindowsValid 12241200x80000000000000007546989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\certCredProvider.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cert Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCredprovider.dllMD5=5C5920708E3A7386E3FB97F06A1CF6CD,SHA256=2CEBA7FEC4C2DA3384BE80CB70C5AF04F45727BDA3DEF9A79F478B071AB9FC0CtrueMicrosoft WindowsValid 12241200x80000000000000007546963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.589{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.587{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.586{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729trueMicrosoft WindowsValid 12241200x80000000000000007546937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.585{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007546913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.568{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007546912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.568{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E735BFE5BF3834A49E4C297AF50F38BB,SHA256=6C91A03BB81626A279736D0AE63EE39DD75717CEC01E428552844B39839A24A3falsetrue 13241300x80000000000000007546911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\(Default)Binary Data 12241200x80000000000000007546910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 12241200x80000000000000007546909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0\Properties\{83da6326-97a6-4088-9453-a1923f573b29} 13241300x80000000000000007546908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007546907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000007546906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 12241200x80000000000000007546905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum 13241300x80000000000000007546904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007546903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x80000000000000007546902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 12241200x80000000000000007546901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F3E-6132-0100-00000000F001}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum 13241300x80000000000000007546900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\DeviceKindDWORD (0x00000000) 12241200x80000000000000007546899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC 13241300x80000000000000007546898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 12241200x80000000000000007546897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\Tablet PC 13241300x80000000000000007546896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Tablet PC\IsTabletPCDWORD (0x00000000) 12241200x80000000000000007546895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Tablet PC 13241300x80000000000000007546894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007546893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007546892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\NonPreserve\LastAutoRequestDWORD (0x00000000) 12241200x80000000000000007546891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\NonPreserve 12241200x80000000000000007546890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000007546881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngckeyenum.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Passport Key Enumeration ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationngckeyenum.dllMD5=ACF9A79DE065065D9B9F3C060D8FD883,SHA256=72A663ED47F6354E1EF19D6E5D4BC1118B8BF699B9E112E89BBE8DC8B9D83187trueMicrosoft WindowsValid 12241200x80000000000000007546880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\BioCredProv.dll10.0.14393.4169 (rs1_release.210107-1130)WinBio Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationBioCredProv.dllMD5=73F8BD8ED7C88C247AE1F8931FE84024,SHA256=50102694895A05D4554A54C775A033664DF7B9E51347F918E2A2FEF2F2B747C0trueMicrosoft WindowsValid 12241200x80000000000000007546860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.568{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26trueMicrosoft WindowsValid 12241200x80000000000000007546831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.552{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.088{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 12241200x80000000000000007546806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 12241200x80000000000000007546804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.088{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 12241200x80000000000000007546780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 12241200x80000000000000007546777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.087{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngccredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Passport Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationngccredprov.dllMD5=5125FB8AD27095A89651EFE26DF82B8F,SHA256=B49A3E4B223B5737ABB834DA077E2F525B8D5A4E7A226134AD23B19BD20DA5B5trueMicrosoft WindowsValid 12241200x80000000000000007546753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.536{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1FtrueMicrosoft WindowsValid 12241200x80000000000000007546725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDAtrueMicrosoft WindowsValid 12241200x80000000000000007546698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Devices.Enumeration.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Devices.EnumerationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Devices.Enumeration.dllMD5=4C62915A0F4A5D426D857C5DEC342AE9,SHA256=371A5B33833D0433F525EF0A0E61B7EFE5F91142F814241AB291C178B055BCB3trueMicrosoft WindowsValid 12241200x80000000000000007546673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.521{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007546649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.505{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.505{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\facecredentialprovider.dll10.0.14393.4169 (rs1_release.210107-1130)Face Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFaceCredentialProvider.dllMD5=75568151502F3012E5A0B28D53517B21,SHA256=6CD897692F27AF5291034213CFA48CF0A0517C33A5A23ED270F12DDE98FB32D9trueMicrosoft WindowsValid 12241200x80000000000000007546644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.505{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007546620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.505{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007546619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007546618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007546617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007546613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\AllowLockScreenDWORD (0x00000001) 12241200x80000000000000007546612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData 13241300x80000000000000007546611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LastLoggedOnProvider{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD} 13241300x80000000000000007546610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTileRemote\S-1-5-21-2453051693-1864363570-3931539573-500{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD} 12241200x80000000000000007546609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTileRemote 13241300x80000000000000007546608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch\EnabledDWORD (0x00000000) 12241200x80000000000000007546607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch 13241300x80000000000000007546606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch\UserSID(Empty) 12241200x80000000000000007546605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch 12241200x80000000000000007546604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007546603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007546602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007546601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007546600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63trueMicrosoft WindowsValid 13241300x80000000000000007546597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\100000409 12241200x80000000000000007546596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload\1 13241300x80000000000000007546595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007546594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayoutDWORD (0x04090409) 13241300x80000000000000007546593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007546592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007546591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007546586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007546582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\cngcredui.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft CNG CredUI ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcngcredui.dllMD5=FE84C1709B761FFCFA7F4340FA451A65,SHA256=329D2D141C9C0ECC68C12E8B68D0413C396F47C83C85621A410773D8BB1A494CtrueMicrosoft WindowsValid 12241200x80000000000000007546581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 12241200x80000000000000007546565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 13241300x80000000000000007546564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409DWORD (0x00000001) 12241200x80000000000000007546563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 12241200x80000000000000007546561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007546559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007546558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayoutDWORD (0x04090409) 13241300x80000000000000007546557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007546556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007546555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 13241300x80000000000000007546550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409DWORD (0x00000001) 12241200x80000000000000007546549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts 12241200x80000000000000007546548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\TIP 12241200x80000000000000007546547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Substitutes 12241200x80000000000000007546546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Keyboard Layout\Preload 12241200x80000000000000007546545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 12241200x80000000000000007546542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} 12241200x80000000000000007546541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 12241200x80000000000000007546540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem 12241200x80000000000000007546539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 13241300x80000000000000007546538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowShiftLockDWORD (0x00000001) 13241300x80000000000000007546537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\ShowCasingDWORD (0x00000001) 13241300x80000000000000007546536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\0000000000000409 12241200x80000000000000007546535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007546534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 12241200x80000000000000007546533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language 13241300x80000000000000007546532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\LanguagesBinary Data 12241200x80000000000000007546531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 10341000x80000000000000007546530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007546528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName@Winlangdb.dll,-1121 12241200x80000000000000007546527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile\en-US 12241200x80000000000000007546526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Control Panel\International\User Profile 10341000x80000000000000007546525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007546524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007546523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007546522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007546521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007546520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007546519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007546518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007546517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007546516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007546515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007546514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenuDWORD (0xffc67500) 13241300x80000000000000007546513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenuDWORD (0xff995a00) 10341000x80000000000000007546512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007546510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPaletteBinary Data 12241200x80000000000000007546509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent 13241300x80000000000000007546508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttributeDWORD (0x00000001) 13241300x80000000000000007546507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorizationDWORD (0x00000001) 13241300x80000000000000007546506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalanceDWORD (0x00000001) 13241300x80000000000000007546505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalanceDWORD (0x0000000a) 13241300x80000000000000007546504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowDWORD (0xc40075c6) 13241300x80000000000000007546503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalanceDWORD (0x00000059) 13241300x80000000000000007546502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorDWORD (0xc40075c6) 12241200x80000000000000007546501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 13241300x80000000000000007546500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColorDWORD (0xffc67500) 12241200x80000000000000007546499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Microsoft\Windows\DWM 12241200x80000000000000007546498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\Colors 12241200x80000000000000007546497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\Colors 10341000x80000000000000007546496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007546494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SelectedUserSIDS-1-5-21-2453051693-1864363570-3931539573-500 12241200x80000000000000007546493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI 13241300x80000000000000007546492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUserSIDS-1-5-21-2453051693-1864363570-3931539573-500 13241300x80000000000000007546491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnUserATTACKRANGE\administrator 13241300x80000000000000007546490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.490{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3\LoggedOnSAMUserATTACKRANGE\administrator 12241200x80000000000000007546489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007546488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x80000000000000007546481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007546480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.053{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovs.dll10.0.14393.4169 (rs1_release.210107-1130)Credential ProvidersMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovs.dllMD5=913EF3B2F5DF7C749774F6FF3B054C11,SHA256=4E3F665593865080E37EA4F3108102FD222C2DECE3841F178EAF29A9CCB59C2CtrueMicrosoft WindowsValid 12241200x80000000000000007546479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x80000000000000007546466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007546462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.490{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007546460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.490{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.053{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovslegacy.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Providers LegacyMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovslegacy.dllMD5=C54FE5EE50B5B797FFCFCC1B00A0076C,SHA256=2676BC00EB97E8BC4F3052EF09106DA33FA33CECC66D179164B3B2FE9DEFD9F6trueMicrosoft WindowsValid 12241200x80000000000000007546452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.053{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\SmartcardCredentialProvider.dll10.0.14393.2248 (rs1_release.180427-1804)Windows Smartcard Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationSmartcardCredentialProvider.dllMD5=89F3FE0276D7A31BA02AC3366F964FEE,SHA256=EE1AC8484F240304375600A1B95B64670D660EEC8E3D9F49D7782505D38E28B2trueMicrosoft WindowsValid 12241200x80000000000000007546425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007546404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 12241200x80000000000000007546403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.468{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000007546402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32B4CBEC1724EA79D2575165E71F346,SHA256=5922A93FA80D49662D9E0DBF62E625CB9CD2C75B58A194B525718E1335299F0Cfalsetrue 10341000x80000000000000007546401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.468{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007546398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EAtrueMicrosoft WindowsValid 10341000x80000000000000007546397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007546387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.053{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159AtrueMicrosoft WindowsValid 12241200x80000000000000007546386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007546367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.452{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 12241200x80000000000000007546366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007546362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000007546361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000002131666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:15.122{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79EF7792614DE09F58586D17DB0FCDD,SHA256=28DD9B5208F06A7C77853C2A1DE8F41E38F6012CC65A53430E625F92ACF7BACA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007546346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007546341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.437{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 12241200x80000000000000007546340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovhost.dll10.0.14393.4402 (rs1_release.210426-1725)Credential Provider Framework HostMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovhost.dllMD5=D64A4C4E4CDB8DD6128D4EFAC4118353,SHA256=A503771EBD077D5C5C2EFF2499E074A8B05099A59D68E7668F403EB6DC4A902AtrueMicrosoft WindowsValid 12241200x80000000000000007546336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.437{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\CredProvDataModel.dll10.0.14393.4169 (rs1_release.210107-1130)Cred Prov Data ModelMicrosoft® Windows® Operating SystemMicrosoft CorporationCredProvDataModel.dllMD5=6B8B71ABE125771FEE8A44D0F941CEF3,SHA256=1C7C0865C8BD4CD12867432AC71144923344F596EFA2D7C42DD9EF37F508F519trueMicrosoft WindowsValid 12241200x80000000000000007546310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007546287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007546286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64172A565D151DF51D99F6B4B45BCE58,SHA256=2517D538F10DC43C95B281DE9CF3B1F5BCB441D02F1962A048311A184C993B6Bfalsetrue 12241200x80000000000000007546285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\InputSwitch.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Input SwitcherMicrosoft® Windows® Operating SystemMicrosoft CorporationInputSwitch.dllMD5=2B36BB851BC67134276AF104374E1AE7,SHA256=5BBE3DAB8CC51D7979C85F6794AC87EC01033B10381C9975BB82EFDD130C71F8trueMicrosoft WindowsValid 12241200x80000000000000007546282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.421{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4467 (rs1_release.210604-1844)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=4D2537567A93ABF1D93CB7A7E76F954C,SHA256=5740181B56927C0DC66A6BCECA15EA2806A0ED471A01F785AD47C8C73A1DF85FtrueMicrosoft WindowsValid 12241200x80000000000000007546254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.405{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007546225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.990{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\DWrite.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=1875083243EE498D0B2BB6B025AD7520,SHA256=A3FA592126642537BF6F0E4E9750A43A899525FE616DE899ABD7F26A9E7620C4trueMicrosoft WindowsValid 12241200x80000000000000007546224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.385{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000007546203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.368{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.368{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4583 (rs1_release.210730-1850)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=C3ABC6F71036CD4F4FD947774D2B12F0,SHA256=F747F8236190DD21A19554C97D8C027C6A5EC080EF327CCD6E8359E1B164E32EtrueMicrosoft WindowsValid 12241200x80000000000000007546199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.352{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.906{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4583 (rs1_release.210730-1850)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=331BB4051CC2EFC406D652380B707EA4,SHA256=61499D4A3046453E5A478C76A652945E6A6EE5687ACB8509F6EDB89A6E52FFDDtrueMicrosoft WindowsValid 12241200x80000000000000007546173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007546149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007546146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.221{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15trueMicrosoft WindowsValid 13241300x80000000000000007546145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.206{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\IdleTimeDWORD (0x000000ac) 12241200x80000000000000007546144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.206{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI 11241100x80000000000000007546143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007546142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF0A252666F345495B279F0C7CE21FB,SHA256=6D8CDF657FD7E63018BFBEFDC68FC0770ABA367736DF168FC9B55617C7BA2218falsetrue 12241200x80000000000000007546141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\System\CurrentControlSet\Control\Terminal Server 12241200x80000000000000007546140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services 10341000x80000000000000007546139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007546129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 734700x80000000000000007546128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15trueMicrosoft WindowsValid 12241200x80000000000000007546127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKCR 734700x80000000000000007546126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.190{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 12241200x80000000000000007546125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.168{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.168{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007546121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.890{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 12241200x80000000000000007546120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007546116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.969{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 12241200x80000000000000007546115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.153{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007546097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007546096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BB05888DC5EDDB50467204C58945DE,SHA256=8913D186EF7EEBE485313D45B4523CF9D3262D6358DFE5F1B641D9DCF601913Efalsetrue 10341000x80000000000000007546095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-3F48-6132-0F00-00000000F001}3085104C:\Windows\System32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.121{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData 10341000x80000000000000007546091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.121{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F48-6132-0F00-00000000F001}3085104C:\Windows\System32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.106{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Tracing 11241100x80000000000000007546081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007546080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47F05177F150A748135FF5FBBF850E25,SHA256=6E27180C7730745D737FE8B3E36119D4BF7D76A0AE1638B81758305F6AEE61B9falsetrue 12241200x80000000000000007546079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.106{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007546078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.106{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.890{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 10341000x80000000000000007546076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1700-00000000F001}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007546074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.890{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 12241200x80000000000000007546073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007546069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 12241200x80000000000000007546068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000007546061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 12241200x80000000000000007546060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007546059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 12241200x80000000000000007546058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 18141800x80000000000000007546053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.090{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 12241200x80000000000000007546052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.090{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007546047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.090{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007546044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007546043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270784F43619D60D2A34FF64755F4E9D,SHA256=B5518E6D284C429CAFCEFDE41F69C4870BDC98ACB13DDEDE4458A8367B383C2Cfalsetrue 12241200x80000000000000007546042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007546041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.869{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 12241200x80000000000000007546040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007546037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 12241200x80000000000000007546036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007546016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007546015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007546013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007546012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007546011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007546010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007546009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007546008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.869{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\rdsdwmdr.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Remote Desktop Services Desktop Composition ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationrdsdwmdr.dllMD5=8AB1C043AEA9B8E3E69F66FA2D6D0902,SHA256=6405F183B338D172526735F3C68A22E6D927EF62EF2B8D184E8702525B08C529trueMicrosoft WindowsValid 12241200x80000000000000007546007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007546006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007546003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007546002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007546001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007546000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000007545994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007545986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\CredProvUncompletedInstancesDWORD (0x00000001) 12241200x80000000000000007545985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon 12241200x80000000000000007545984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.869{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 12241200x80000000000000007545981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.068{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.068{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 18141800x80000000000000007545956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.053{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 734700x80000000000000007545955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.053{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x80000000000000007545954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007545951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\Windows.Gaming.Input.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Gaming Input APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Gaming.Input.dllMD5=6947CE1BEE28DA84EF0F9A9CCAC220D9,SHA256=5350654F9C04864F2A364C368348C1799DB7A949286AD946726D0A3583942386trueMicrosoft WindowsValid 12241200x80000000000000007545950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\3 12241200x80000000000000007545927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData 734700x80000000000000007545926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000007545925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x80000000000000007545923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000007545922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9trueMicrosoft WindowsValid 23542300x80000000000000007545921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983354FA65B290B6313D93BDF4EAE5B3,SHA256=B9EC14E27D5A6E24CD8C75223440CDCF75DF384058E121D960F068B02E7F7132falsetrue 12241200x80000000000000007545920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007545918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007545917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\127\52C64B7E\@Winlangdb.dll,-1121English (United States) 734700x80000000000000007545916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.837{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\UIAnimation.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Animation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAnimation.DLLMD5=7F8B0CD5AB8C3E677B98400A2E7C3A75,SHA256=D49C09FBF9BD077A81CB9DA8DE09D2EB1835BCF5F0153373DCE6B484A0F64227trueMicrosoft WindowsValid 13241300x80000000000000007545915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:15.037{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007545914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.037{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007545891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 12241200x80000000000000007545890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 18141800x80000000000000007545889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.022{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007545888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007545887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007545886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:15.022{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 17141700x80000000000000007545885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:15.022{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007545884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F48-6132-0F00-00000000F001}3085104C:\Windows\System32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007545877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007545870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007545868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.822{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 12241200x80000000000000007545867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x80000000000000007545866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007545864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 12241200x80000000000000007545863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000007545852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000007545846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+82744|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007545841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F47-6132-0C00-00000000F001}8366716C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007545836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007545835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007545834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.822{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8trueMicrosoft WindowsValid 12241200x80000000000000007545831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.022{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007545810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007545809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:15.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D116ED409BD7A6A31181694E0E413190,SHA256=A4E70C21CB072BB5017AC1272F60281934991865DC63CF4C01F408E4A2B35AAAfalsetrue 12241200x80000000000000007545808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007545807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.822{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exeC:\Windows\System32\d3d11.dll10.0.14393.4467 (rs1_release.210604-1844)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=F940A91B13592184F228ECC14D8D9358,SHA256=2BC05A4D09CDBAB8DB5F767DC95F31B2CA324928A94F004C7C2968E3E9E635E2trueMicrosoft WindowsValid 12241200x80000000000000007545806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007545805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007545804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.953{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d11.dll10.0.14393.4467 (rs1_release.210604-1844)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=F940A91B13592184F228ECC14D8D9358,SHA256=2BC05A4D09CDBAB8DB5F767DC95F31B2CA324928A94F004C7C2968E3E9E635E2trueMicrosoft WindowsValid 12241200x80000000000000007545803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007545802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007545800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007545786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007545785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007545784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007545783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:15.006{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007548485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.950{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors\ScaleFactorsBinary Data 12241200x80000000000000007548484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.950{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors 13241300x80000000000000007548483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SpringsCSSSpanBinary Data 13241300x80000000000000007548482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SearchbarCSSSpanBinary Data 13241300x80000000000000007548481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|UrlbarCSSSpanBinary Data 13241300x80000000000000007548480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|CssToDevPixelScalingBinary Data 13241300x80000000000000007548479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|FlagsDWORD (0x00000002) 13241300x80000000000000007548478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|MaximizedDWORD (0x00000000) 13241300x80000000000000007548477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|HeightDWORD (0x000003cf) 13241300x80000000000000007548476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|WidthDWORD (0x00000510) 13241300x80000000000000007548475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenYDWORD (0x00000013) 13241300x80000000000000007548474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenXDWORD (0x00000166) 12241200x80000000000000007548473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.751{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings 734700x80000000000000007548472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.404{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6trueMicrosoft WindowsValid 12241200x80000000000000007548471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.420{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007548447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x80000000000000007548446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x80000000000000007548445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 12241200x80000000000000007548444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\MyComputer\Namespace\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7} 12241200x80000000000000007548441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer 13241300x80000000000000007548440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\Target\\tsclient\malware 12241200x80000000000000007548439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\ResolveLinkFlagsDWORD (0x00000050) 12241200x80000000000000007548437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\AttributesDWORD (0x00000010) 12241200x80000000000000007548435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\LoadWithoutCOM(Empty) 12241200x80000000000000007548433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.404{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance 13241300x80000000000000007548432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\CLSID{0AFACED1-E828-11D1-9187-B532F1E9575D} 12241200x80000000000000007548431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance 13241300x80000000000000007548430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\WantsFORPARSING(Empty) 12241200x80000000000000007548429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\PinToNameSpaceTree(Empty) 12241200x80000000000000007548427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\AttributesDWORD (0xf0000008) 12241200x80000000000000007548425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\LoadWithoutCOM(Empty) 12241200x80000000000000007548423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\ThreadingModelApartment 12241200x80000000000000007548421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 12241200x80000000000000007548419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\DefaultIcon\(Default)%%SystemRoot%%\system32\shell32.dll,9 12241200x80000000000000007548417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\DefaultIcon 13241300x80000000000000007548416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InfoTipDisk from Remote Desktop Connection 13241300x80000000000000007548415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\(Default)malware on C02DN3AYMD6P 12241200x80000000000000007548414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7} 12241200x80000000000000007548413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Wow6432Node\CLSID 12241200x80000000000000007548412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Wow6432Node\CLSID 13241300x80000000000000007548411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\Target\\tsclient\malware 12241200x80000000000000007548410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\ResolveLinkFlagsDWORD (0x00000050) 12241200x80000000000000007548408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag\AttributesDWORD (0x00000010) 12241200x80000000000000007548406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\InitPropertyBag 13241300x80000000000000007548405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\LoadWithoutCOM(Empty) 12241200x80000000000000007548404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance 13241300x80000000000000007548403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance\CLSID{0AFACED1-E828-11D1-9187-B532F1E9575D} 12241200x80000000000000007548402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\Instance 13241300x80000000000000007548401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\WantsFORPARSING(Empty) 12241200x80000000000000007548400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\PinToNameSpaceTree(Empty) 12241200x80000000000000007548398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder\AttributesDWORD (0xf0000008) 12241200x80000000000000007548396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\ShellFolder 13241300x80000000000000007548395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\LoadWithoutCOM(Empty) 12241200x80000000000000007548394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\ThreadingModelApartment 12241200x80000000000000007548392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 12241200x80000000000000007548390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InProcServer32 13241300x80000000000000007548389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\DefaultIcon\(Default)%%SystemRoot%%\system32\shell32.dll,9 12241200x80000000000000007548388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\DefaultIcon 13241300x80000000000000007548387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\InfoTipDisk from Remote Desktop Connection 13241300x80000000000000007548386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\(Default)malware on C02DN3AYMD6P 12241200x80000000000000007548385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKCR\CLSID\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7} 12241200x80000000000000007548384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\CLSID 12241200x80000000000000007548383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\CLSID 13241300x80000000000000007548382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x80000000000000007548381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x80000000000000007548380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x80000000000000007548379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\IsAssignedAccessDWORD (0x00000000) 12241200x80000000000000007548378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search 13241300x80000000000000007548377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\IsWindowsHelloActiveDWORD (0x00000000) 12241200x80000000000000007548376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search 13241300x80000000000000007548375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\AnyAboveLockAppsActiveDWORD (0x00000000) 12241200x80000000000000007548374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.388{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search 10341000x80000000000000007548373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.387{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+c096d3|C:\Program Files\Mozilla Firefox\xul.dll+c130c0|C:\Program Files\Mozilla Firefox\xul.dll+fc7b29|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0 534500x80000000000000007548372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.387{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\System32\csrss.exe 12241200x80000000000000007548371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.387{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active 12241200x80000000000000007548370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.387{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System 12241200x80000000000000007548369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.387{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT 12241200x80000000000000007548368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.387{4DF467A6-913A-613B-7122-01000000F001}6212C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags 13241300x80000000000000007548367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.384{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\Colors\HighContrastEnabledDWORD (0x00000000) 12241200x80000000000000007548366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.384{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\Colors 734700x80000000000000007548365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 734700x80000000000000007548364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 734700x80000000000000007548363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4583 (rs1_release.210730-1850)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=C3ABC6F71036CD4F4FD947774D2B12F0,SHA256=F747F8236190DD21A19554C97D8C027C6A5EC080EF327CCD6E8359E1B164E32EtrueMicrosoft WindowsValid 10341000x80000000000000007548362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007548360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 10341000x80000000000000007548359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.367{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 734700x80000000000000007548357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007548356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007548355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007548354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5CtrueMicrosoft WindowsValid 734700x80000000000000007548353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007548352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007548351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007548350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007548349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007548348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007548347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007548346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007548345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.367{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007548344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007548343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007548342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007548341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000007548340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007548339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000007548338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007548337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007548336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000007548335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007548325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 12241200x80000000000000007548324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007548321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007548320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007548310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007548309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007548308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 24542400x80000000000000007548307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=9415AB542D47C3F66C8C8F0C138242E1,SHA256=9A709120E4FF76311533538C408B6A7EB2736D80036B108689D2BAF0A2E68EBCtrue 10341000x80000000000000007548306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007548305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007548304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007548302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 11241100x80000000000000007548301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-9415AB542D47C3F66C8C8F0C138242E19A709120E4FF76311533538C408B6A7EB2736D80036B108689D2BAF0A2E68EBC2021-09-10 17:09:16.351 18141800x80000000000000007548300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.351{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007548299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}29483972C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007548297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007548296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.323{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80}C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007548295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.351{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007548292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.320{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\System32\taskhostw.exeC:\Windows\System32\TaskSchdPS.dll10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Interfaces ProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationTaskSchdPS.dllMD5=2C64E139BAC3F2852567622F77B02C50,SHA256=EA9ED3B6173722EA707EDCFD7276E036E56F957B85822B727986BCD6F7FACD5CtrueMicrosoft WindowsValid 12241200x80000000000000007548291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007548265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.304{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\themeui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Theme APIMicrosoft® Windows® Operating SystemMicrosoft CorporationThemeUI.DLLMD5=D2452DBF8859CD3476600D8998F88660,SHA256=DB4BD64B1DFC9467EDD2C14E1AE47411523CB39FE26E635BD6ABD8F51C559749trueMicrosoft WindowsValid 12241200x80000000000000007548264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.336{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007548241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.336{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 13241300x80000000000000007548240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.320{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007548239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.320{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF55A08-96F4-456F-9FDE-373EE15D7588}\DynamicInfoBinary Data 12241200x80000000000000007548238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.320{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF55A08-96F4-456F-9FDE-373EE15D7588} 10341000x80000000000000007548237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.320{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.320{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007548235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.304{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF55A08-96F4-456F-9FDE-373EE15D7588}\DynamicInfoBinary Data 12241200x80000000000000007548234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.304{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF55A08-96F4-456F-9FDE-373EE15D7588} 18141800x80000000000000007548233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.304{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007548232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.304{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007548231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.304{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515trueMicrosoft WindowsValid 10341000x80000000000000007548230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.304{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.304{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007548226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.286{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007548225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=080BA881568BF36CCF8D4426D00068F1,SHA256=9ACDE1319FB3ECDC70D85A15C00F76EC97ECA482DF96F6BF7E32FCAC0C16C995falsetrue 11241100x80000000000000007548224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007548223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58E5B08F2C1AAA83F581DD2772D793DC,SHA256=BA6809886EEDDB6AC460E5AC1B0AA3F39E3DB81AD3C21FED392864A312AE1EBDfalsetrue 10341000x80000000000000007548222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-40A0-613A-90FA-00000000F001}6120C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407C-613A-8AFA-00000000F001}8036C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-89FA-00000000F001}7396C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-88FA-00000000F001}6732C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D4A1-6138-0ACF-00000000F001}5976C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D479-6138-CCCE-00000000F001}6628C:\Windows\system32\fontdrvhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D479-6138-C8CE-00000000F001}3840C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D475-6138-C7CE-00000000F001}6356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D470-6138-89CE-00000000F001}2600C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D46F-6138-84CE-00000000F001}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8FCD-00000000F001}4568C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8ECD-00000000F001}6412C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8DCD-00000000F001}3508C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8CCD-00000000F001}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-E17D-6137-89B0-00000000F001}3268C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-E17D-6137-88B0-00000000F001}5604C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D934-6137-57AF-00000000F001}5448C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-98CB-6137-D8A6-00000000F001}5848C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-98CB-6137-D7A6-00000000F001}3468C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-44B8-6132-3406-00000000F001}6016C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F605-00000000F001}1404C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3FD1-6132-9000-00000000F001}384C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F5A-6132-4400-00000000F001}3616C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F59-6132-3700-00000000F001}3256C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-3000-00000000F001}2000C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2C00-00000000F001}2956C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2A00-00000000F001}2924C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F51-6132-2300-00000000F001}2592C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F4B-6132-2200-00000000F001}2516C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F4B-6132-2100-00000000F001}2508C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1F00-00000000F001}1616C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1700-00000000F001}1376C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1300-00000000F001}932C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0E00-00000000F001}1000C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0900-00000000F001}568C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-40A0-613A-90FA-00000000F001}6120C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407C-613A-8AFA-00000000F001}8036C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-89FA-00000000F001}7396C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-88FA-00000000F001}6732C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D4A1-6138-0ACF-00000000F001}5976C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D479-6138-CCCE-00000000F001}6628C:\Windows\system32\fontdrvhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D479-6138-C8CE-00000000F001}3840C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D475-6138-C7CE-00000000F001}6356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D470-6138-89CE-00000000F001}2600C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D46F-6138-84CE-00000000F001}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8FCD-00000000F001}4568C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8ECD-00000000F001}6412C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8DCD-00000000F001}3508C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-8CCD-00000000F001}6456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-E17D-6137-89B0-00000000F001}3268C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-E17D-6137-88B0-00000000F001}5604C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D934-6137-57AF-00000000F001}5448C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-98CB-6137-D8A6-00000000F001}5848C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-98CB-6137-D7A6-00000000F001}3468C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-44B8-6132-3406-00000000F001}6016C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F605-00000000F001}1404C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-EF05-00000000F001}4896C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3FD1-6132-9000-00000000F001}384C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F5A-6132-4400-00000000F001}3616C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F59-6132-3700-00000000F001}3256C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-3000-00000000F001}2000C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2C00-00000000F001}2956C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2A00-00000000F001}2924C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F51-6132-2300-00000000F001}2592C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F4B-6132-2200-00000000F001}2516C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F4B-6132-2100-00000000F001}2508C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1F00-00000000F001}1616C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1700-00000000F001}1376C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1300-00000000F001}932C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0E00-00000000F001}1000C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.267{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0900-00000000F001}568C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000007548084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\System32\winlogon.exe 10341000x80000000000000007548083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-3F48-6132-1600-00000000F001}12481916C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+3c65d1|C:\Program Files\Mozilla Firefox\xul.dll+278c98e|C:\Program Files\Mozilla Firefox\xul.dll+278d851|C:\Program Files\Mozilla Firefox\xul.dll+2865e27|C:\Program Files\Mozilla Firefox\xul.dll+10377a|C:\Program Files\Mozilla Firefox\xul.dll+39012b1|C:\Program Files\Mozilla Firefox\xul.dll+8b5491|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028 534500x80000000000000007548076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-913A-613B-7422-01000000F001}7036C:\Windows\System32\dwm.exe 12241200x80000000000000007548075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.251{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 23542300x80000000000000007548074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=B438F6D8BED6951D154C9DFC0EC7FB77,SHA256=09ABE5C053F8A79664DA4D6A665A97656B7EED5E9F09EEE121104F4BF58CE0FCfalsetrue 10341000x80000000000000007548073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.251{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.236{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 10341000x80000000000000007548070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.236{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 13241300x80000000000000007548069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 12241200x80000000000000007548068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop 18141800x80000000000000007548067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.236{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 13241300x80000000000000007548066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x80000000000000007548065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x80000000000000007548064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 12241200x80000000000000007548063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007548061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4trueMicrosoft WindowsValid 12241200x80000000000000007548060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007548048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.220{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 12241200x80000000000000007548047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007548038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.220{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.220{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007548033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\System32\ktmw32.dll10.0.14393.0 (rs1_release.160715-1616)Windows KTM Win32 Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationktmw32MD5=17D51DFC12643CD3D76EF6ED8BEEC731,SHA256=43F8F1D2B1C7B1085736899A2B0CB2CF931962E457A8AD4345181F8262818A99trueMicrosoft WindowsValid 534500x80000000000000007548032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exe 12241200x80000000000000007548031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000007548015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007548014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 12241200x80000000000000007548013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 18141800x80000000000000007548009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.204{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 12241200x80000000000000007548008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007548005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 534500x80000000000000007548004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exe 12241200x80000000000000007548003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007548002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-85On-Screen Keyboard 12241200x80000000000000007547998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007547997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007547996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-83Narrator 12241200x80000000000000007547995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.204{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007547992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.204{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-84Magnifier 12241200x80000000000000007547991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007547987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\System32\NgcCtnrGidsHandler.dll10.0.14393.2248 (rs1_release.180427-1804)Microsoft Passport Container GIDS HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationNgcCtnrGidsHandler.dllMD5=FFD5301975FA3BE6A59DC8E0D7394635,SHA256=415E070E42FC91C5362ECBF77C4C160C15E78D285E8FD8A50451BC6A3616F730trueMicrosoft WindowsValid 12241200x80000000000000007547986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 13241300x80000000000000007547970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007547969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007547964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007547963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007547962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007547961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007547960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007547959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007547958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007547957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007547956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007547955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007547954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007547953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000007547952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000007547950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007547948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 534500x80000000000000007547947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exe 734700x80000000000000007547946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000007547945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007547937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007547936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\System32\NgcCtnrSvc.dll10.0.14393.1770 (rs1_release.170917-1700)Microsoft Passport Container ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNgcCtnrSvc.dllMD5=DD248F485177E78F4737A0A3242B2D9D,SHA256=6381B8B1290D7960164681C05221C0F42EFD1E7CB654655A9788709842B20646trueMicrosoft WindowsValid 12241200x80000000000000007547935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007547926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007547925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007547919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007547918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 18141800x80000000000000007547917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.189{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007547916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+3c65d1|C:\Program Files\Mozilla Firefox\xul.dll+278c98e|C:\Program Files\Mozilla Firefox\xul.dll+278d851|C:\Program Files\Mozilla Firefox\xul.dll+2865e27|C:\Program Files\Mozilla Firefox\xul.dll+10377a|C:\Program Files\Mozilla Firefox\xul.dll+39012b1|C:\Program Files\Mozilla Firefox\xul.dll+8b5491|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028 734700x80000000000000007547915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000007547914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007547911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.189{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.189{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007547909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.185{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.185{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.151{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\System32\LogonUI.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 12241200x80000000000000007547903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.184{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.183{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 10341000x80000000000000007547879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 734700x80000000000000007547873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 10341000x80000000000000007547872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.167{4DF467A6-3F46-6132-0B00-00000000F001}6368004C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007547866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\ngcsvc.dll10.0.14393.2515 (rs1_release_1.180830-1044)Microsoft Passport ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationngcsvc.dllMD5=31B62C4AC0741100E9C50A37BC6184F9,SHA256=DAD7D5FA8C54B7EBF84AFF773D2E94FA6CB73AA43070C4696E21683786181095trueMicrosoft WindowsValid 12241200x80000000000000007547865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.151{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007547842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007547840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 12241200x80000000000000007547839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007547838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.136{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\CredProvUncompletedInstancesDWORD (0x00000000) 12241200x80000000000000007547837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-913A-613B-7322-01000000F001}6700C:\Windows\system32\LogonUI.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon 10341000x80000000000000007547836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1700-00000000F001}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007547834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007547833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.136{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 13241300x80000000000000007547832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.136{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LastLogOffEndTimePerfCounterQWORD (0x0000015b-0x3572ddd3) 10341000x80000000000000007547831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007547824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.136{4DF467A6-4446-6132-ED05-00000000F001}41844632C:\Windows\system32\winlogon.exe{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007547823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.101{4DF467A6-913C-613B-7722-01000000F001}2932C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\System32\winlogon.exewinlogon.exe 734700x80000000000000007547822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 12241200x80000000000000007547821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007547818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.136{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.120{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.120{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.120{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 10341000x80000000000000007547795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007547793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007547792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000007547791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007547790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.120{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007547789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x80000000000000007547788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007547787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007547786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007547785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 12241200x80000000000000007547784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007547782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007547775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000007547774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007547768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007547767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007547766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007547765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007547764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBEtrueMicrosoft WindowsValid 12241200x80000000000000007547763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007547762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007547761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007547760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007547759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exeMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56FtrueMicrosoft WindowsValid 734700x80000000000000007547758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007547757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007547756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007547755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x80000000000000007547754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007547753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007547752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007547751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007547750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007547749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007547748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007547747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007547746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007547745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007547744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007547743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007547742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007547741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007547740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-913A-613B-7222-01000000F001}7476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007547730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8367076C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8366936C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000007547705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007547698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.104{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007547688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007547687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 18141800x80000000000000007547686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.104{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007547685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007547684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.104{4DF467A6-3F48-6132-0F00-00000000F001}3086092C:\Windows\System32\svchost.exe{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x80000000000000007547683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.066{4DF467A6-913C-613B-7622-01000000F001}3172C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 12241200x80000000000000007547682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007547681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 734700x80000000000000007547680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.089{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.201002-1707)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=C82536B6DCD3370E13D1D34D4A05F13F,SHA256=CD636DCC4516803B77C2CDFECF3A14ADF25F7A8B00F23F1D57A7BA7BD87663DFtrueMicrosoft WindowsValid 10341000x80000000000000007547679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.089{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeNameNormalSize 12241200x80000000000000007547677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorNameNormalColor 12241200x80000000000000007547675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName%%SystemRoot%%\resources\themes\Aero\Aero.msstyles 12241200x80000000000000007547673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedPPI96 12241200x80000000000000007547671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPIPlateaus1 12241200x80000000000000007547669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI96 12241200x80000000000000007547667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID1033 12241200x80000000000000007547665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore1 12241200x80000000000000007547663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 13241300x80000000000000007547662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive1 12241200x80000000000000007547661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.089{4DF467A6-4446-6132-ED05-00000000F001}4184C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager 11241100x80000000000000007547660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.089{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg2021-09-10 17:09:16.089 13241300x80000000000000007547659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.086{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 10341000x80000000000000007547658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.085{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.085{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.084{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365752C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.083{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007547640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.067{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007547639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007547638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007547637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:16.067{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 17141700x80000000000000007547636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:16.067{4DF467A6-3F48-6132-0F00-00000000F001}308\TSVCPIPE-5956aedd-c74f-4f37-8b49-ef6f8f11d1b7C:\Windows\System32\svchost.exe 10341000x80000000000000007547635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Control\Terminal Server 12241200x80000000000000007547633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services 10341000x80000000000000007547632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDFwinspool,Ne01:,15,45 13241300x80000000000000007547627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDFwinspool,Ne01: 13241300x80000000000000007547626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\Ne01:(Empty) 13241300x80000000000000007547625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writerwinspool,Ne00:,15,45 13241300x80000000000000007547624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writerwinspool,Ne00: 13241300x80000000000000007547623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\Ne00:(Empty) 13241300x80000000000000007547622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\OneNote (Desktop)winspool,nul:,15,45 13241300x80000000000000007547621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\OneNote (Desktop)winspool,nul: 12241200x80000000000000007547620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts 12241200x80000000000000007547619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices 10341000x80000000000000007547618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Printers 10341000x80000000000000007547613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F57-6132-2500-00000000F001}2764C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007547604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles2021-09-10 17:09:16.067 10341000x80000000000000007547603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.067{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 12241200x80000000000000007547601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.067{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Control Panel\Desktop 10341000x80000000000000007547600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.067{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365872C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8365260C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 10341000x80000000000000007547586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000007547584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000007547583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 10341000x80000000000000007547582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007547577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EdpCredentials 12241200x80000000000000007547576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\SystemCertificates\MY 10341000x80000000000000007547575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007547574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007547573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Volatile Environment\2\CLIENTNAMEC02DN3AYMD6P 12241200x80000000000000007547572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Volatile Environment\2 13241300x80000000000000007547571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Volatile Environment\2\SESSIONNAMERDP-Tcp#10 12241200x80000000000000007547570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\Volatile Environment\2 10341000x80000000000000007547569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007547568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:16.051{4DF467A6-3F47-6132-0C00-00000000F001}8362460C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000007547567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.051{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007547566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:16.051{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\system32\csrss.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007547565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:16.051{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\system32\csrss.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PUUActiveBinary Data 23542300x80000000000000002131667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:16.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E17E18EF7CC1CB2FD0BD1859CE711E,SHA256=6B90F7D3120D71A15ECAF4C21E3CAD91891B50C9B87365FF493004D418083F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007548497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.294{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-291.attackrange.local137netbios-ns 354300x80000000000000007548496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.294{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000007548495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.290{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63677- 354300x80000000000000007548494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:08:59.288{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57734- 13241300x80000000000000007548493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:17.134{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors\ScaleFactorsBinary Data 12241200x80000000000000007548492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:17.134{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors 11241100x80000000000000007548491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:17.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:17.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9129B9C809168E6766287C1BF8FB79C2,SHA256=71DF6378917DE83748E965C4FBBA7221EB415A13E4833F026572793964AA51B1falsetrue 11241100x80000000000000007548489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:17.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007548488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:17.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CC66673CD21510591405C0FEF355C0,SHA256=758C0BA2F67A16542E5C87A5EA3055103651A206FACE731527BA93B49B289F00falsetrue 13241300x80000000000000007548487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:17.003{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors\ScaleFactorsBinary Data 12241200x80000000000000007548486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:17.003{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\system32\DllHost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-2453051693-1864363570-3931539573-500\AnyoneRead\ScaleFactors 354300x80000000000000002131670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:08.843{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62368-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:17.141{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619A6C30C6C7FBAA8B02F9B2A8620F7C,SHA256=EB13546BD6032EE65BEAC139F469C5454CEA8616472135A2ADF33F5E08C08DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:17.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E268D0662652A15CF3B358CAEA80FE8,SHA256=68EFB5339F6F967FBB7B4B51F013E7C68AC19694EB9CD2742048695576BA62C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007548513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.916{4DF467A6-4448-6132-F305-00000000F001}45525232C:\Windows\System32\rdpclip.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5344e|C:\Windows\System32\SHELL32.dll+84772|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.916{4DF467A6-4448-6132-F305-00000000F001}45525232C:\Windows\System32\rdpclip.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+533b8|C:\Windows\System32\SHELL32.dll+84772|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.916{4DF467A6-4448-6132-F305-00000000F001}45525232C:\Windows\System32\rdpclip.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5339a|C:\Windows\System32\SHELL32.dll+84772|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007548510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.916{4DF467A6-4448-6132-F305-00000000F001}45525232C:\Windows\System32\rdpclip.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5339a|C:\Windows\System32\SHELL32.dll+84772|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.148{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007548508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.148{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000007548507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000007548506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000007548505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000007548504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-10 17:09:18.133 12241200x80000000000000007548503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000007548502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000007548501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000007548500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000007548499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:18.133{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-10 17:09:18.133 12241200x80000000000000007548498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:18.133{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000002131671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:18.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DA6A07D179FA26B74AE165C4B65190,SHA256=D7CED74658619ABC5AADD2A8BD4A8168274BDBB6F75F98D865FFA059EC383DE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007548527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007548526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=998433436A5D5937BE3692CCA320D21A,SHA256=AC6B9DCEB468685E284AFBBAB93CC415844ECA98A801C02492F8A12131AFF0A3falsetrue 354300x80000000000000007548525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.020{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56766-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007548524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.020{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56766-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007548523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.015{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56765-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007548522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.015{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56765-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007548521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.004{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56764-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007548520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.004{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56764-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007548519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:01.002{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56763-false10.0.1.12-8000- 11241100x80000000000000007548518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB4E34CEF598988C74B2E4780F7F54D,SHA256=3E7C59F6366035ED5E2B534A916789257524B7B56C89F99517AC9F9BC0920E0Cfalsetrue 11241100x80000000000000007548516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007548515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2ACA405F30B0521C8DA777EB634FA22C,SHA256=F3558120DAC666B3215FF60F9B98A9CC24ED3A6BA8AA15D0EB633C3BEF0379FAfalsetrue 12241200x80000000000000007548514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:19.162{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x80000000000000002131685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-913F-613B-9F1B-01000000F101}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-913F-613B-9F1B-01000000F101}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.267{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-913F-613B-9F1B-01000000F101}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.261{AEE49BD1-913F-613B-9F1B-01000000F101}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:19.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A6653C1EE1C75D4CDE46B434CD1AB7,SHA256=9EE797ED9A3753CCEAFEC3C184E79FCC07C51E106F60A8AB022FE176485FFD9D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007548617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SpringsCSSSpanBinary Data 13241300x80000000000000007548616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SearchbarCSSSpanBinary Data 13241300x80000000000000007548615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|UrlbarCSSSpanBinary Data 13241300x80000000000000007548614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|CssToDevPixelScalingBinary Data 13241300x80000000000000007548613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|FlagsDWORD (0x00000002) 13241300x80000000000000007548612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|MaximizedDWORD (0x00000001) 13241300x80000000000000007548611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|HeightDWORD (0x000003cf) 13241300x80000000000000007548610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|WidthDWORD (0x00000510) 13241300x80000000000000007548609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenYDWORD (0x00000013) 13241300x80000000000000007548608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenXDWORD (0x00000166) 12241200x80000000000000007548607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.897{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings 23542300x80000000000000007548606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.697{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\pending_pings\65ed3f30-9a70-46cd-92fa-4762e6dc791dMD5=5ED649B708F1FB690FC5B81170C56B0C,SHA256=17E9F8ACD7542A09CCC65EF629AC2AC49B5CCF565281956C92F962427C959DE4falsetrue 11241100x80000000000000007548605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.697{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\A323394C0E548977440EB30505E85C53A93258A02021-09-10 17:09:20.697 12241200x80000000000000007548604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.597{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.597{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000007548602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.597{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\pending_pings\03a548c2-c362-435e-8a51-06dfa18c0498MD5=704F9FF6DC8183DCE51891F8CEB573E9,SHA256=DB15F573DB63C8D931DC1CF047CB5EA6D63C52BC02BA35F639FA2D7716A7DB81falsetrue 11241100x80000000000000007548601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.597{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\3275E2D7585519ED18D818C38BDC53BFF846F4862021-09-10 17:09:20.597 10341000x80000000000000007548600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.582{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.576{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007548598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.560{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\aborted-session-pingMD5=29196A3242E90FC48D10A659FF9F2C36,SHA256=C6C8386D26CEF82EB8D5C533E50E49B1F5C1E188AD8A768D06A58D2FAFEEF854falsetrue 10341000x80000000000000007548597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.560{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007548596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.560{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\aborted-session-ping.tmp2021-09-10 17:09:20.560 11241100x80000000000000007548595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE51C7CF20814FBE6D0047821520E10,SHA256=1E4D4FABEB25004C98C672A125C04866B56C1AF334D4405DC69A6EE9CDFD97C7falsetrue 10341000x80000000000000007548593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.545{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.545{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.529{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.529{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.513{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.513{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.498{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.498{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.482{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.480{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.460{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.460{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.445{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.445{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.429{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.413{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.413{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.413{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007548566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=AB6B45F2E276D683B63333C0A9DCB29F,SHA256=109207C2302E2E146AD395524B1868594A6295E9A3E87CE33F2FAC335B4A9065falsetrue 11241100x80000000000000007548564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=03F12D7C7273FF6D6D5C15DFEBD71B2D,SHA256=808661542740C589229C47687D7103171CCA16A807530939B6CAD593778E1C81falsetrue 11241100x80000000000000007548562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F7C2C2945AD5636C44CC696256FE21E5,SHA256=A2F5EBBEB298EDCA6770F4BB3ACA7154A6B31667BDE1FD285A9E9399FDB0C83Efalsetrue 11241100x80000000000000007548560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.380{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\tmp\65ed3f30-9a70-46cd-92fa-4762e6dc791d2021-09-10 17:09:20.380 11241100x80000000000000007548559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.379{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.379{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=D20A536104C3C30209C154FC7E110639,SHA256=C33BD1817918BD0126E70558BA1275D76BA55CD144A5643E18A47CC2F3E152EFfalsetrue 11241100x80000000000000007548557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.378{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.378{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=741BAE52778410B1DD8CC00D8F85F5F7,SHA256=A816B03509A30D2B7702D1E6DA6F612B29B32B0DB0166D97AAF8CAD8D4BEFF93falsetrue 11241100x80000000000000007548555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.378{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 10341000x80000000000000007548554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407C-613A-8AFA-00000000F001}8036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+e75c88|C:\Program Files\Mozilla Firefox\xul.dll+e757c9|C:\Program Files\Mozilla Firefox\xul.dll+e76c8f|C:\Program Files\Mozilla Firefox\xul.dll+1190706|C:\Program Files\Mozilla Firefox\xul.dll+e7250d|C:\Program Files\Mozilla Firefox\xul.dll+e5a440|C:\Program Files\Mozilla Firefox\xul.dll+1ef9df2|C:\Program Files\Mozilla Firefox\xul.dll+1a37780|C:\Program Files\Mozilla Firefox\xul.dll+1a399a3|C:\Program Files\Mozilla Firefox\xul.dll+17a3e99|C:\Program Files\Mozilla Firefox\xul.dll+1be9450|C:\Program Files\Mozilla Firefox\xul.dll+16e00d1|C:\Program Files\Mozilla Firefox\xul.dll+1b8eed6|C:\Program Files\Mozilla Firefox\xul.dll+17a4342|C:\Program Files\Mozilla Firefox\xul.dll+1be9450|C:\Program Files\Mozilla Firefox\xul.dll+16e00d1|C:\Program Files\Mozilla Firefox\xul.dll+1b8eed6|C:\Program Files\Mozilla Firefox\xul.dll+17a0807|C:\Program Files\Mozilla Firefox\xul.dll+1890a30|C:\Program Files\Mozilla Firefox\xul.dll+1ac0599|C:\Program Files\Mozilla Firefox\xul.dll+1abb7df 23542300x80000000000000007548553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=0836C7EBB383AF9ECCB5576BA95B709D,SHA256=46B9A3F13025DE96C4D15CF202D26845B2050CA50DA1D3E62BBA7187C29B5361falsetrue 13241300x80000000000000007548552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SpringsCSSSpanBinary Data 13241300x80000000000000007548551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SearchbarCSSSpanBinary Data 13241300x80000000000000007548550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|UrlbarCSSSpanBinary Data 13241300x80000000000000007548549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|CssToDevPixelScalingBinary Data 13241300x80000000000000007548548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|FlagsDWORD (0x00000002) 13241300x80000000000000007548547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|MaximizedDWORD (0x00000001) 13241300x80000000000000007548546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|HeightDWORD (0x00000000) 13241300x80000000000000007548545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|WidthDWORD (0x00000000) 13241300x80000000000000007548544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenYDWORD (0x00000000) 13241300x80000000000000007548543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenXDWORD (0x00000000) 12241200x80000000000000007548542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings 11241100x80000000000000007548541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.376{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.376{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=5AC87FE3D4BF89B5E5F0E42DE4E78193,SHA256=AC57694AF0C81D641DD1AAA767594DB533C8EAA493A630FC2724B0903B65C33Ffalsetrue 11241100x80000000000000007548539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=167EDFEED6434050C44C943161F00447,SHA256=B71A6CD53459155384BCA837BD869C244E637A6F72CD852D8BAE9309F59F6717falsetrue 11241100x80000000000000007548537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007548536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=713221A8EC23DE91060404212520E435,SHA256=55E918A0E2253482FC10C8091F498104BD6350D21AE186B5F3B7B7D5D6664ED2falsetrue 11241100x80000000000000007548535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat2021-09-03 14:15:11.195 13241300x80000000000000007548534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007548533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000007548532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007548531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32falsetrue 10341000x80000000000000007548530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007548528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:20.360{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 23542300x80000000000000002131687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:20.300{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8CA9D225868185F844F63EDF3354979,SHA256=185A25CC09B5F33F3C55167923D8AC387534D4CD1968B3E35B7789764104B476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:20.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DEEC8B0EB7F403F57D525643FBC337,SHA256=E69C22D51572013159B89399D5E9165CA7C093C612CDB33EDE4996876B0CB41F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007548631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0876F6D66D1424CCA93010D176011D32,SHA256=86C0D25D8CCBC7F28BB34162A3803E58C104E1611B9962BECDFCE5F4D99B275Afalsetrue 534500x80000000000000007548629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.911{4DF467A6-913B-613B-7522-01000000F001}7192C:\Windows\System32\TSTheme.exe 354300x80000000000000007548628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.345{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56767-false52.37.158.247ec2-52-37-158-247.us-west-2.compute.amazonaws.com443https 354300x80000000000000007548627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.343{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56860- 354300x80000000000000007548626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.341{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-56013-false127.0.0.1-53domain 354300x80000000000000007548625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.330{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56013- 354300x80000000000000007548624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.329{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:2322:29b:ffff-56013-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000007548623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.304{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56013- 10341000x80000000000000007548622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.627{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007548621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.318{4DF467A6-4079-613A-86FA-00000000F001}5896incoming.telemetry.mozilla.org0type: 5 telemetry-incoming.r53-2.services.mozilla.com;type: 5 pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com;52.37.158.247;35.167.137.152;54.70.80.82;35.155.229.139;52.12.55.135;34.215.46.102;35.155.6.125;54.148.159.250;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.317{4DF467A6-4079-613A-86FA-00000000F001}5896incoming.telemetry.mozilla.org0type: 5 telemetry-incoming.r53-2.services.mozilla.com;type: 5 pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com;::ffff:52.37.158.247;::ffff:35.167.137.152;::ffff:54.70.80.82;::ffff:35.155.229.139;::ffff:52.12.55.135;::ffff:34.215.46.102;::ffff:35.155.6.125;::ffff:54.148.159.250;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000007548619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.381{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpg2021-09-10 17:09:21.381 11241100x80000000000000007548618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:21.375{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles2021-09-10 17:09:21.375 23542300x80000000000000002131688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:21.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FE7923558DC8753D7B0C9417F0E1E1,SHA256=5B8794032D37052E4AAEACBCFE95130EA6890D7DF2BEFED3144C290E32E1E847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007548651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c28e2b|C:\Program Files\Mozilla Firefox\xul.dll+c21c12|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+c2b178|C:\Program Files\Mozilla Firefox\xul.dll+c2b4dd 10341000x80000000000000007548650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+27b7e68|C:\Program Files\Mozilla Firefox\xul.dll+27a91ac|C:\Program Files\Mozilla Firefox\xul.dll+c22c71|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2|C:\Program Files\Mozilla Firefox\xul.dll+c24fb9 10341000x80000000000000007548649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c293a0|C:\Program Files\Mozilla Firefox\xul.dll+27b524b|C:\Program Files\Mozilla Firefox\xul.dll+27a8336|C:\Program Files\Mozilla Firefox\xul.dll+c228ea|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2 10341000x80000000000000007548648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c28e2b|C:\Program Files\Mozilla Firefox\xul.dll+c21c12|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+c2b178|C:\Program Files\Mozilla Firefox\xul.dll+c2b4dd 10341000x80000000000000007548647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dd32|C:\Program Files\Mozilla Firefox\xul.dll+b976b3|C:\Program Files\Mozilla Firefox\xul.dll+b97344|C:\Program Files\Mozilla Firefox\xul.dll+b97b7c|C:\Program Files\Mozilla Firefox\xul.dll+f8b322|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e 10341000x80000000000000007548646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dd32|C:\Program Files\Mozilla Firefox\xul.dll+b976b3|C:\Program Files\Mozilla Firefox\xul.dll+b97344|C:\Program Files\Mozilla Firefox\xul.dll+b97b7c|C:\Program Files\Mozilla Firefox\xul.dll+f8b322|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e 10341000x80000000000000007548645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dd32|C:\Program Files\Mozilla Firefox\xul.dll+b976b3|C:\Program Files\Mozilla Firefox\xul.dll+b97344|C:\Program Files\Mozilla Firefox\xul.dll+b97b7c|C:\Program Files\Mozilla Firefox\xul.dll+f8b322|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e 10341000x80000000000000007548644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dd32|C:\Program Files\Mozilla Firefox\xul.dll+b976b3|C:\Program Files\Mozilla Firefox\xul.dll+b97344|C:\Program Files\Mozilla Firefox\xul.dll+b97b7c|C:\Program Files\Mozilla Firefox\xul.dll+f8b322|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e 10341000x80000000000000007548643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dd32|C:\Program Files\Mozilla Firefox\xul.dll+b976b3|C:\Program Files\Mozilla Firefox\xul.dll+b97344|C:\Program Files\Mozilla Firefox\xul.dll+b97b7c|C:\Program Files\Mozilla Firefox\xul.dll+f8b322|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e 10341000x80000000000000007548642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.994{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+c096d3|C:\Program Files\Mozilla Firefox\xul.dll+c130c0|C:\Program Files\Mozilla Firefox\xul.dll+f8b298|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0 10341000x80000000000000007548641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.975{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.975{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.975{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.975{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.973{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.972{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+27b7e68|C:\Program Files\Mozilla Firefox\xul.dll+27a91ac|C:\Program Files\Mozilla Firefox\xul.dll+c22c71|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2|C:\Program Files\Mozilla Firefox\xul.dll+c24fb9 11241100x80000000000000007548635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9DBCC0CE611A69164BDC0EF8390E109,SHA256=DFA2F60B83F2EE94D099D7D626533B1F2E9B0BC1D52119229855A7B1D1EAEA4Ffalsetrue 22542200x80000000000000007548633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:03.319{4DF467A6-4079-613A-86FA-00000000F001}5896pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.167.137.152;54.70.80.82;35.155.229.139;52.12.55.135;34.215.46.102;35.155.6.125;54.148.159.250;52.37.158.247;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007548632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.274{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 23542300x80000000000000002131690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:22.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6CF553FBC2F3134CEF7458C1D61A323,SHA256=DD752F28095B8341EE37BAE12C599E4CD227DD89B86DE55EFECADD4BA1B54865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:22.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989726D1900757A1AA5A812614A2CFE9,SHA256=AD9AB9C98DAD879436947C139A26691EA25936209BB3A8234FA038917AEB2C0F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007548654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:04.531{4DF467A6-3F58-6132-2B00-00000000F001}2948247.158.37.52.in-addr.arpa.0type: 12 ec2-52-37-158-247.us-west-2.compute.amazonaws.com;C:\Windows\sysmon64.exe 13241300x80000000000000007548653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:23.371{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007548652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:23.371{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\308046O0NS4N39POBinary Data 354300x80000000000000002131692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:14.038{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62369-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:23.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2F6E129899595879D75AF21873C4FC,SHA256=BC1009D26E5E376537DCC17E3F67B7725529067BE48B38E5AC2A5F5D0039EDC1,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007548729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.975{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.975{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.952{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\AE8A837183D7DCC537977D2AA2BC3B7EFF11F8C52021-09-10 17:09:24.952 11241100x80000000000000007548726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.936{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\48DF3473DF306C1F79D86A3C682E8C75E4D7D03C2021-09-10 17:09:24.936 12241200x80000000000000007548725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.920{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.920{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.920{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.920{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.912{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.912{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.784{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.756{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.748{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.748{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.748{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007548709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:06.079{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56768-false10.0.1.12-8000- 10341000x80000000000000007548708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.740{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-40A0-613A-90FA-00000000F001}6120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.688{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.688{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.680{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-40A0-613A-90FA-00000000F001}6120C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+e75c88|C:\Program Files\Mozilla Firefox\xul.dll+e71579|C:\Program Files\Mozilla Firefox\xul.dll+e71f53|C:\Program Files\Mozilla Firefox\xul.dll+e611fd|C:\Program Files\Mozilla Firefox\xul.dll+4016ff3|C:\Program Files\Mozilla Firefox\xul.dll+229b551|C:\Program Files\Mozilla Firefox\xul.dll+9fddcd|C:\Program Files\Mozilla Firefox\xul.dll+9c35c1|C:\Program Files\Mozilla Firefox\xul.dll+1a16dd|C:\Program Files\Mozilla Firefox\xul.dll+a00f57|C:\Program Files\Mozilla Firefox\xul.dll+4184446|C:\Program Files\Mozilla Firefox\xul.dll+9cb8fb|C:\Program Files\Mozilla Firefox\xul.dll+9ce601|C:\Program Files\Mozilla Firefox\xul.dll+9cd3ce|C:\Program Files\Mozilla Firefox\xul.dll+9cc72e|C:\Program Files\Mozilla Firefox\xul.dll+9d63f8|C:\Program Files\Mozilla Firefox\xul.dll+91f063|C:\Program Files\Mozilla Firefox\xul.dll+8bfbb7|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac 23542300x80000000000000007548704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.602{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\formhistory.sqlite-journalMD5=B3CF76E51317F44C5000EA228BE2C1DA,SHA256=8C2DF58BCBAC42C14742AA1E72236A86777570690D95341DE0C4440FDD54F137falsetrue 11241100x80000000000000007548703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.594{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\formhistory.sqlite-journal2021-09-10 17:09:24.594 12241200x80000000000000007548702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.583{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.583{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.583{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.583{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.507{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.507{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.471{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.471{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.371{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.371{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.323{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.323{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007548690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000007548689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007548688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1595A2AB95417FE2BC446A623FA0EAD,SHA256=C9087BF650A081039DB05AFAE10F7A06CC381848B022F9B15F4E10A78506830Afalsetrue 23542300x80000000000000007548687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F5DCEBAF679AEC2F9831FDF1C0C5123,SHA256=918686DABD53FBF1F538054ED44F4928B3859BCC25D7E00BA803D32ABE59E563falsetrue 11241100x80000000000000007548686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.292{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\16C6B40DA5C76207C826469FD2E4A167E190D4CF2021-09-03 20:44:01.936 11241100x80000000000000007548685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.292{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\3E3CBE223340653B501CCC0AE32C3C96CC0AFD7D2021-09-09 17:17:27.727 23542300x80000000000000007548684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.292{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\8011MD5=84E8105F5594938E695ACE34A5FC15D9,SHA256=9EEEC1214CC2F26D162E370B807EFF4E267238710A04DB889504C42648F5EC02falsetrue 10341000x80000000000000007548683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.292{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.255{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.208{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.208{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.192{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.192{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.192{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA846104952021-09-03 20:44:01.351 10341000x80000000000000007548667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.172{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c293a0|C:\Program Files\Mozilla Firefox\xul.dll+c28d1d|C:\Program Files\Mozilla Firefox\xul.dll+c21de4|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c08a13|C:\Program Files\Mozilla Firefox\xul.dll+1f0ee10 12241200x80000000000000007548666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.155{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.155{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007548664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.155{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007548662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-10 17:09:24.139 11241100x80000000000000007548656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-10 17:09:24.139 10341000x80000000000000007548655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:24.139{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407C-613A-8AFA-00000000F001}8036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+e75c88|C:\Program Files\Mozilla Firefox\xul.dll+e75687|C:\Program Files\Mozilla Firefox\xul.dll+8d9557|C:\Program Files\Mozilla Firefox\xul.dll+8cda04|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:24.154{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C975FDAF093A0705FBAC0322DC3E5FD2,SHA256=77F2522F19360A9B45216608E5719BD8CFC46036CB05BCBC35B328D6E92CAFB4,IMPHASH=00000000000000000000000000000000falsetrue 924900x80000000000000007549049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x80000000000000007549048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 12241200x80000000000000007549047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverPackage\PermissionsCheckTestKey 12241200x80000000000000007549046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverPackage\PermissionsCheckTestKey 13241300x80000000000000007549045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverPackage\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverPackage 12241200x80000000000000007549043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceUsbHubClass\PermissionsCheckTestKey 12241200x80000000000000007549041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceUsbHubClass\PermissionsCheckTestKey 13241300x80000000000000007549040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceUsbHubClass\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceUsbHubClass 12241200x80000000000000007549038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceInterface\PermissionsCheckTestKey 12241200x80000000000000007549036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceInterface\PermissionsCheckTestKey 13241300x80000000000000007549035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceInterface\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceInterface 12241200x80000000000000007549033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.922{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\DriverPackageExtended\PermissionsCheckTestKey 12241200x80000000000000007549031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\DriverPackageExtended\PermissionsCheckTestKey 13241300x80000000000000007549030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\DriverPackageExtended\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\DriverPackageExtended 12241200x80000000000000007549028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceMediaClass\PermissionsCheckTestKey 12241200x80000000000000007549026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceMediaClass\PermissionsCheckTestKey 13241300x80000000000000007549025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceMediaClass\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceMediaClass 12241200x80000000000000007549023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverBinary\PermissionsCheckTestKey 12241200x80000000000000007549021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverBinary\PermissionsCheckTestKey 13241300x80000000000000007549020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverBinary\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDriverBinary 12241200x80000000000000007549018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceContainer\PermissionsCheckTestKey 12241200x80000000000000007549016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceContainer\PermissionsCheckTestKey 13241300x80000000000000007549015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceContainer\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDeviceContainer 12241200x80000000000000007549013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 12241200x80000000000000007549012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDevicePnp\PermissionsCheckTestKey 12241200x80000000000000007549011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDevicePnp\PermissionsCheckTestKey 13241300x80000000000000007549010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDevicePnp\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000007549009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root\InventoryDevicePnp 12241200x80000000000000007549008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.919{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exe\REGISTRY\A\{e4b1c6e0-fc85-8165-c755-93069aad4c16}\Root 734700x80000000000000007549007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.904{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8ADtrueMicrosoft WindowsValid 734700x80000000000000007549006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.898{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007549005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.895{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=307C756C3761B731CB212F472D5DA4B9,SHA256=1FA15528F79B2350C25721158B2E532F3792B731A37103E3F17B003B6FC8E4D6trueMicrosoft WindowsValid 12241200x80000000000000007549004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007549001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.810{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll91.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=9692BC2CE5B1150345D1D0CC729A795B,SHA256=BF58443D6A022C24D2581BA45525BE3BA3076A64762CD7676A8BB419A52A3642trueMozilla CorporationValid 12241200x80000000000000007549000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.816{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007548976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.804{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll91.0.2-FirefoxMozilla Foundationnss3.dllMD5=9EF1DD901F9BBC764A76661181CE6B5A,SHA256=75A88A4F577345C939A30855397DD54B1ADB2A6483B7252D6728B48823FE2E25trueMozilla CorporationValid 12241200x80000000000000007548975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.813{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007548955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.810{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007548954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.810{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 734700x80000000000000007548953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.810{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90DtrueMicrosoft WindowsValid 734700x80000000000000007548952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.807{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 734700x80000000000000007548951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.807{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 12241200x80000000000000007548950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.804{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007548949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.772{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007548948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007548945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.789{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.786{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007548924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.777{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007548923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.777{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007548922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.777{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007548921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.777{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007548920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.777{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000007548919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox 12241200x80000000000000007548918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla 12241200x80000000000000007548917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE 12241200x80000000000000007548916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox 12241200x80000000000000007548915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla 12241200x80000000000000007548914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE 12241200x80000000000000007548913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox 12241200x80000000000000007548912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla 12241200x80000000000000007548911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.776{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE 734700x80000000000000007548910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.773{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007548909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.773{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30133.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=7667B0883DE4667EC87C3B75BED84D84,SHA256=04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7DtrueMicrosoft CorporationValid 12241200x80000000000000007548908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.772{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007548907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.772{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007548906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.771{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000007548905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.771{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30133.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=11D9AC94E8CB17BD23DEA89F8E757F18,SHA256=E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4EtrueMicrosoft CorporationValid 734700x80000000000000007548904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.770{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30133.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=CD0C37F1875B704F8EB08E397381AC16,SHA256=D86AC158123A245B927592C80CC020FEA29C8C4ADDC144466C4625A00CA9C77AtrueMicrosoft CorporationValid 734700x80000000000000007548903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.770{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007548902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.769{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007548901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.769{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007548900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.769{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007548899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.768{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 12241200x80000000000000007548898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007548897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007548896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007548895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe91.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=C8C9C12BC07D6EBCB91FFA05234DB052,SHA256=E84F523A7F5BDB8367CEB8FD572A7AFAA813AFB2B2C9ABB055B26DC31D444F5EtrueMozilla CorporationValid 12241200x80000000000000007548894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007548892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.766{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007548878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007548877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007548876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007548875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007548874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.765{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007548873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.765{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007548872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.764{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll91.0.2-FirefoxMozilla Foundationmozglue.dllMD5=17E88118C54BA125AA9044F270F19AEB,SHA256=25A2E64CBC377D57BDDC5F04935F6E03440A12DAC83AC05A2A78959BB4ECA5B7trueMozilla CorporationValid 734700x80000000000000007548871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.764{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007548870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.764{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007548869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.763{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007548868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.763{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007548867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.763{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007548866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.762{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f0b0|C:\Program Files\Mozilla Firefox\xul.dll+e75c88|C:\Program Files\Mozilla Firefox\xul.dll+e71579|C:\Program Files\Mozilla Firefox\xul.dll+e6346c|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.762{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a64ca8|C:\Program Files\Mozilla Firefox\xul.dll+a64a14|C:\Program Files\Mozilla Firefox\xul.dll+ae012e|C:\Program Files\Mozilla Firefox\xul.dll+e6341c|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28 10341000x80000000000000007548864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 734700x80000000000000007548860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000007548859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 734700x80000000000000007548856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007548855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.761{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a704dd|C:\Program Files\Mozilla Firefox\xul.dll+a65b6a|C:\Program Files\Mozilla Firefox\xul.dll+a65a24|C:\Program Files\Mozilla Firefox\xul.dll+908c8e|C:\Program Files\Mozilla Firefox\xul.dll+e6317a|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d 10341000x80000000000000007548849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a65c08|C:\Program Files\Mozilla Firefox\xul.dll+e74eb8|C:\Program Files\Mozilla Firefox\xul.dll+e63116|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4 12241200x80000000000000007548848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.758{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007548847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+e6308d|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007548846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007548845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+c2445|C:\Program Files\Mozilla Firefox\xul.dll+e62d64|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+c2445|C:\Program Files\Mozilla Firefox\xul.dll+e62d64|C:\Program Files\Mozilla Firefox\xul.dll+36021b4|C:\Program Files\Mozilla Firefox\xul.dll+3602120|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-4079-613A-86FA-00000000F001}58967732C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a1ef7f|C:\Program Files\Mozilla Firefox\xul.dll+8926d4|C:\Program Files\Mozilla Firefox\xul.dll+167e249|C:\Program Files\Mozilla Firefox\xul.dll+1a074f5|C:\Program Files\Mozilla Firefox\xul.dll+13715|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+12df8|C:\Program Files\Mozilla Firefox\xul.dll+a07c41|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 25542500x80000000000000007548842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.758{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeImage is replaced 10341000x80000000000000007548841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.755{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007548840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.755{4DF467A6-4079-613A-86FA-00000000F001}58962944C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f02d|C:\Program Files\Mozilla Firefox\firefox.exe+2e235|C:\Program Files\Mozilla Firefox\xul.dll+1fcb9ea|C:\Program Files\Mozilla Firefox\xul.dll+a1a9e3|C:\Program Files\Mozilla Firefox\xul.dll+a18bb5|C:\Program Files\Mozilla Firefox\xul.dll+a1fe9e|C:\Program Files\Mozilla Firefox\xul.dll+8cbe50|C:\Program Files\Mozilla Firefox\xul.dll+168b9e5|C:\Program Files\Mozilla Firefox\xul.dll+2662a|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+8ce637|C:\Program Files\Mozilla Firefox\nss3.dll+77d1d|C:\Program Files\Mozilla Firefox\nss3.dll+8ec01|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007548839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.750{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe91.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5896.12.368298650\396444522" -childID 6 -isForBrowser -prefsHandle 1836 -prefMapHandle 3220 -prefsLen 10557 -prefMapSize 244776 -jsInit 1168 285716 -parentBuildID 20210823123856 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5896 "\\.\pipe\gecko-crash-server-pipe.5896" 4756 1dc4e9cb538 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2LowMD5=C8C9C12BC07D6EBCB91FFA05234DB052,SHA256=E84F523A7F5BDB8367CEB8FD572A7AFAA813AFB2B2C9ABB055B26DC31D444F5E{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x80000000000000007548838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.617{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50376- 354300x80000000000000007548837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.591{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50376- 354300x80000000000000007548836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.591{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63629- 354300x80000000000000007548835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.591{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61972- 354300x80000000000000007548834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.589{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63171- 354300x80000000000000007548833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.586{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63014- 354300x80000000000000007548832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.585{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61708- 354300x80000000000000007548831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.585{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49190- 354300x80000000000000007548830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.584{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58964- 354300x80000000000000007548829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.584{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59332- 354300x80000000000000007548828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.581{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58982- 354300x80000000000000007548827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.581{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58261- 354300x80000000000000007548826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.557{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51193- 354300x80000000000000007548825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.555{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58261- 354300x80000000000000007548824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.554{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60931- 354300x80000000000000007548823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.554{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59471- 354300x80000000000000007548822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.554{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56876- 354300x80000000000000007548821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.465{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51057- 354300x80000000000000007548820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.465{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56269- 354300x80000000000000007548819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.463{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59254- 354300x80000000000000007548818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.381{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local63274-false142.250.69.196sea30s08-in-f4.1e100.net443https 354300x80000000000000007548817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.381{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59814- 354300x80000000000000007548816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.381{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51774- 354300x80000000000000007548815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.379{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63273- 18141800x80000000000000007548814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:25.740{4DF467A6-4079-613A-86FA-00000000F001}5896<Anonymous Pipe>C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000007548813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:25.740{4DF467A6-4079-613A-86FA-00000000F001}5896<Anonymous Pipe>C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000007548812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:25.740{4DF467A6-4079-613A-86FA-00000000F001}5896\chrome.5896.12.36829865C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000007548811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.629{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\3A6CBF550B2B6278623D8BBBEBDE2C32AB500CF22021-09-10 17:09:25.629 12241200x80000000000000007548810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.613{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.613{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.561{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\CCA19B8E88199D5C4FE71C338D06F49268D380EA2021-09-10 17:09:25.561 12241200x80000000000000007548807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.501{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.501{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000007548805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.136{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56773-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x80000000000000007548804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.128{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65089- 354300x80000000000000007548803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.125{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59476- 11241100x80000000000000007548802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.493{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\718C690684EF6121EB17D98E5715792E123D09272021-09-10 17:09:25.493 12241200x80000000000000007548801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.472{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.472{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.464{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\9C9B012AF9F9B152AE32C814E462AA1F966DE8AB2021-09-10 17:09:25.463 12241200x80000000000000007548798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.445{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.445{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.425{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\19399280C1854B1D50C1F447473B7F3189C20E6B2021-09-10 17:09:25.425 12241200x80000000000000007548795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.417{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.417{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.417{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.417{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.389{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.389{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.377{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\F5E5A0D6663C8B1C050FD3DA1CC5BDAA8F530D542021-09-10 17:09:25.377 11241100x80000000000000007548788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.369{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\993BF94F05C8E211E563A9CCA8A4A67B92A935152021-09-10 17:09:25.368 11241100x80000000000000007548787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.353{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\03E03C6ED00BAF4E0CB27E9CE8A25C3F6A7E9CA22021-09-10 17:09:25.353 12241200x80000000000000007548786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.333{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.305{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.305{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.305{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\BE7A208CFC5DF55E740B27D6E4D999C6FBD5306B2021-09-10 17:09:25.305 11241100x80000000000000007548773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.285{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\6AE3B086A48D895E3D99D4B5E80D55F803C4BC642021-09-10 17:09:25.285 12241200x80000000000000007548772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.276{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.276{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.272{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\E43DFDA7B579AD8D6E427217D1991C35C1067DCD2021-09-10 17:09:25.271 12241200x80000000000000007548769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.249{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.249{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.249{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.249{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000007548765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.087{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56772-false52.37.158.247ec2-52-37-158-247.us-west-2.compute.amazonaws.com443https 354300x80000000000000007548764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.040{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56771-false99.84.74.129server-99-84-74-129.hio50.r.cloudfront.net443https 354300x80000000000000007548763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.031{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57024- 354300x80000000000000007548762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.030{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59983- 354300x80000000000000007548761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.028{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61512- 354300x80000000000000007548760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.026{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56770-false52.37.158.247ec2-52-37-158-247.us-west-2.compute.amazonaws.com443https 354300x80000000000000007548759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.025{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56769-false52.37.158.247ec2-52-37-158-247.us-west-2.compute.amazonaws.com443https 11241100x80000000000000007548758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.233{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\9619057D8957F1E56DF864A0E3796059772D05412021-09-10 17:09:25.229 12241200x80000000000000007548757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.221{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007548751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.213{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\485BF4789ACE91F157DC0D5BF67568C05E7E68052021-09-10 17:09:25.213 12241200x80000000000000007548750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.193{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.193{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 22542200x80000000000000007548748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.570{4DF467A6-3F58-6132-2B00-00000000F001}2948196.69.250.142.in-addr.arpa.0type: 12 sea30s08-in-f4.1e100.net;C:\Windows\sysmon64.exe 22542200x80000000000000007548747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.564{4DF467A6-4079-613A-86FA-00000000F001}5896star-mini.c10r.facebook.com031.13.70.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.564{4DF467A6-4079-613A-86FA-00000000F001}5896www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.70.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.563{4DF467A6-4079-613A-86FA-00000000F001}5896youtube-ui.l.google.com02607:f8b0:400a:805::200e;2607:f8b0:400a:80b::200e;2607:f8b0:400a:801::200e;2607:f8b0:400a:803::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.561{4DF467A6-4079-613A-86FA-00000000F001}5896youtube-ui.l.google.com0142.251.33.110;142.251.33.78;142.250.217.78;142.250.217.110;172.217.14.206;172.217.14.238;142.250.69.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.561{4DF467A6-4079-613A-86FA-00000000F001}5896www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.69.206;::ffff:142.251.33.110;::ffff:142.251.33.78;::ffff:142.250.217.78;::ffff:142.250.217.110;::ffff:172.217.14.206;::ffff:172.217.14.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.443{4DF467A6-4079-613A-86FA-00000000F001}5896www.gstatic.com02607:f8b0:400a:803::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.441{4DF467A6-4079-613A-86FA-00000000F001}5896www.gstatic.com0142.250.217.99;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.441{4DF467A6-4079-613A-86FA-00000000F001}5896www.gstatic.com0::ffff:142.250.217.99;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.359{4DF467A6-4079-613A-86FA-00000000F001}5896www.google.com02607:f8b0:400a:80a::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.358{4DF467A6-4079-613A-86FA-00000000F001}5896www.google.com0142.250.69.196;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007548737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.357{4DF467A6-4079-613A-86FA-00000000F001}5896www.google.com0::ffff:142.250.69.196;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007548736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.040{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+27b7e68|C:\Program Files\Mozilla Firefox\xul.dll+27a91ac|C:\Program Files\Mozilla Firefox\xul.dll+c22c71|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2|C:\Program Files\Mozilla Firefox\xul.dll+c24fb9 11241100x80000000000000007548735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.032{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\B087A4976C50A5A2D38883D352BDE600E42C58EF2021-09-10 17:09:25.032 10341000x80000000000000007548734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.008{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.004{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+27b7e68|C:\Program Files\Mozilla Firefox\xul.dll+27a91ac|C:\Program Files\Mozilla Firefox\xul.dll+c22c71|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2|C:\Program Files\Mozilla Firefox\xul.dll+c24fb9 10341000x80000000000000007548732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.000{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+27b7e68|C:\Program Files\Mozilla Firefox\xul.dll+27a91ac|C:\Program Files\Mozilla Firefox\xul.dll+c22c71|C:\Program Files\Mozilla Firefox\xul.dll+27a027d|C:\Program Files\Mozilla Firefox\xul.dll+c29f86|C:\Program Files\Mozilla Firefox\xul.dll+c2313b|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c24d58|C:\Program Files\Mozilla Firefox\xul.dll+27a14ee|C:\Program Files\Mozilla Firefox\xul.dll+27a1284|C:\Program Files\Mozilla Firefox\xul.dll+c2b1e2|C:\Program Files\Mozilla Firefox\xul.dll+c24fb9 12241200x80000000000000007548731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.000{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007548730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:25.000{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000002131694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:25.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D63BF76AF0C71D52E61EF01A6EBA9C,SHA256=4C489E7835DBC1326963947115A80C19FB98B2336A75FE2CDC1CAC378A48BAF9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007549129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.999{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=1875083243EE498D0B2BB6B025AD7520,SHA256=A3FA592126642537BF6F0E4E9750A43A899525FE616DE899ABD7F26A9E7620C4trueMicrosoft WindowsValid 734700x80000000000000007549128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.997{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 10341000x80000000000000007549127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.995{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.995{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007549125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.994{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000007549124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.984{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007549123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.982{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007549122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.982{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007549121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.982{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000007549120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.981{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 10341000x80000000000000007549119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.980{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a1823f|C:\Program Files\Mozilla Firefox\xul.dll+a64ca8|C:\Program Files\Mozilla Firefox\xul.dll+a28817|C:\Program Files\Mozilla Firefox\xul.dll+a713d9|C:\Program Files\Mozilla Firefox\xul.dll+e6a708|C:\Program Files\Mozilla Firefox\xul.dll+1a1cafa|C:\Program Files\Mozilla Firefox\xul.dll+1a10832|C:\Program Files\Mozilla Firefox\xul.dll+19e6e90|C:\Program Files\Mozilla Firefox\xul.dll+168c60a|C:\Program Files\Mozilla Firefox\xul.dll+1a11b56|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007549118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:26.980{4DF467A6-4079-613A-86FA-00000000F001}5896\cubeb-pipe-5896-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000007549117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:26.980{4DF467A6-4079-613A-86FA-00000000F001}5896\cubeb-pipe-5896-5C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007549116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.970{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007549115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.969{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 10341000x80000000000000007549114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.969{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007549113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:26.968{4DF467A6-407B-613A-87FA-00000000F001}6428\chrome.5896.13.100548543C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007549112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.968{4DF467A6-4079-613A-86FA-00000000F001}58967732C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+1b960c|C:\Program Files\Mozilla Firefox\xul.dll+a2af56|C:\Program Files\Mozilla Firefox\xul.dll+a25acf|C:\Program Files\Mozilla Firefox\xul.dll+1a08ccf|C:\Program Files\Mozilla Firefox\xul.dll+1a0769c|C:\Program Files\Mozilla Firefox\xul.dll+13715|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+12df8|C:\Program Files\Mozilla Firefox\xul.dll+a07c41|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000007549111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:26.968{4DF467A6-4079-613A-86FA-00000000F001}5896\chrome.5896.13.100548543C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000007549110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:26.967{4DF467A6-4079-613A-86FA-00000000F001}5896\chrome.5896.12.36829865C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007549109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.965{4DF467A6-4079-613A-86FA-00000000F001}58963136C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13528b|C:\Program Files\Mozilla Firefox\xul.dll+12346bd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007549108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:26.965{4DF467A6-4079-613A-86FA-00000000F001}5896\gecko-crash-server-pipe.5896C:\Program Files\Mozilla Firefox\firefox.exe 734700x80000000000000007549107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.961{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000007549106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.959{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000007549105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.958{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007549104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.957{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007549103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.957{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000007549102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.957{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007549101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.956{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007549100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.951{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007549099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.950{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000007549098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.950{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007549097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.949{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 734700x80000000000000007549096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.925{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8trueMicrosoft WindowsValid 734700x80000000000000007549095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.924{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBEtrueMicrosoft WindowsValid 734700x80000000000000007549094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.923{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007549093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.923{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007549092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.923{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007549091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.923{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007549090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.922{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007549089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.922{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007549088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.922{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007549087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.921{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000007549086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.921{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 354300x80000000000000007549085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.290{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49623- 11241100x80000000000000007549084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.656{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\E031B5F54D72B7771A2F9371E5FB831E5A8D967B2021-09-10 17:09:26.656 11241100x80000000000000007549083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.655{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\69C717C707236441B2B2566669565999972164372021-09-10 17:09:26.655 11241100x80000000000000007549082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.654{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\E9CE5E851D600616BD55B9D11034DF505D5C7EDC2021-09-10 17:09:26.654 12241200x80000000000000007549081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.635{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.635{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.634{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.634{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.634{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:26.634{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000007549075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.626{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\permissions.sqlite-journalMD5=4093380B6016770107311DF77BDF6A03,SHA256=BF73D1F22A553FD5707DB87608C7C36E746E2A46EB30D7B7B799D53BBCA2B73Afalsetrue 11241100x80000000000000007549074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.620{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\permissions.sqlite-journal2021-09-10 17:09:26.620 354300x80000000000000007549073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.263{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49623- 354300x80000000000000007549072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.262{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local50214-false142.250.69.194sea30s08-in-f2.1e100.net443https 354300x80000000000000007549071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.260{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50213- 354300x80000000000000007549070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.207{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61680- 354300x80000000000000007549069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.207{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local49976-false142.251.33.66sea09s28-in-f2.1e100.net443https 354300x80000000000000007549068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.207{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63023- 354300x80000000000000007549067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.205{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49975- 354300x80000000000000007549066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.178{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local56016-false142.251.33.78sea09s28-in-f14.1e100.net443https 354300x80000000000000007549065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.178{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56224- 354300x80000000000000007549064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.120{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local59252-false142.250.217.99sea09s30-in-f3.1e100.net443https 22542200x80000000000000007549063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.153{4DF467A6-4079-613A-86FA-00000000F001}5896apis.google.com0type: 5 plus.l.google.com;::ffff:142.251.33.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.787{4DF467A6-4079-613A-86FA-00000000F001}5896id.google.com02607:f8b0:400a:805::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.769{4DF467A6-4079-613A-86FA-00000000F001}5896id.google.com0142.250.69.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.768{4DF467A6-4079-613A-86FA-00000000F001}5896id.google.com0::ffff:142.250.69.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.608{4DF467A6-4079-613A-86FA-00000000F001}5896gstaticadssl.l.google.com02607:f8b0:400a:801::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.606{4DF467A6-4079-613A-86FA-00000000F001}5896gstaticadssl.l.google.com0142.250.69.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.606{4DF467A6-4079-613A-86FA-00000000F001}5896fonts.gstatic.com0type: 5 gstaticadssl.l.google.com;::ffff:142.250.69.195;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000007549056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.140{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\sessionstore-backups\recovery.jsonlz4.tmp2021-09-10 17:09:26.140 354300x80000000000000007549055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.793{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59251- 354300x80000000000000007549054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.792{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local52061- 354300x80000000000000007549053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.790{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50547- 354300x80000000000000007549052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.630{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51169- 354300x80000000000000007549051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.630{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-291.attackrange.local51867-false142.250.69.195sea30s08-in-f3.1e100.net443https 354300x80000000000000007549050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:07.628{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51866- 23542300x80000000000000002131695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:26.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CBA95AAD90BFB12C7F81E22EEB2288,SHA256=393B879D1D0EB647AF09CC822C143602116BC252826BB779219C96DF22D84BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007549334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.594{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61091- 11241100x80000000000000007549333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.641{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\D2B0739ADDBADA13A2727E2F82E18C8FBC4C3E302021-09-10 17:09:27.641 12241200x80000000000000007549332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.586{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.586{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.586{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007549327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.013{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll91.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=1AB1404C4253638C89F6355B70980240,SHA256=0153C2259F578CD51C39C859D2D978D84CA431587C2A64DED6D3B039057F70D8trueMozilla CorporationValid 12241200x80000000000000007549326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.234{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.233{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.230{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007549299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.007{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll91.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=913A372058678A3E2D4D11DB674A8389,SHA256=629AD4E8091F00239A48CE1A685CF8E086DB96E594BB39454C6C8BE31249E274trueMozilla CorporationValid 12241200x80000000000000007549298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.227{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007549275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.984{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 12241200x80000000000000007549274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.226{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.225{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.224{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007549251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.982{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x80000000000000007549250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.221{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.217{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007549227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B0079E0F1C5B18572CD2D5989A100EB,SHA256=1B9376AB7973418E57394DA0F96A551CFBA2996CB22D913CEA833A396C635339falsetrue 12241200x80000000000000007549225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.215{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.215{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007549217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.980{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 12241200x80000000000000007549216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.214{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.213{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007549199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007549198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C518A1CB6C3F85C1AA43B5A5B824E5C,SHA256=2035512210664F7C59B211685227D1FB5AD88DA332FA194B9FAC0249B0A78222falsetrue 11241100x80000000000000007549197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.212{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007549196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=080BA881568BF36CCF8D4426D00068F1,SHA256=9ACDE1319FB3ECDC70D85A15C00F76EC97ECA482DF96F6BF7E32FCAC0C16C995falsetrue 12241200x80000000000000007549195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.211{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.209{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.209{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007549191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.926{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 12241200x80000000000000007549190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.208{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.204{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:26.921{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll91.0.2-FirefoxMozilla Foundationxul.dllMD5=1D7BF5814FD87924EA1B9B54742FAE7A,SHA256=9B78E5F35F34CA0E2BFB4C047C5E86E0360BA0A4D6ECAEC0C9676AE66172A8EFtrueMozilla CorporationValid 12241200x80000000000000007549164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.203{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007549141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.170{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\3062FF5FBD6A4CB7D6262797D9B1492FC986FE712021-09-10 17:09:27.170 22542200x80000000000000007549140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.585{4DF467A6-3F58-6132-2B00-00000000F001}294866.33.251.142.in-addr.arpa.0type: 12 sea09s28-in-f2.1e100.net;C:\Windows\sysmon64.exe 22542200x80000000000000007549139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.572{4DF467A6-3F58-6132-2B00-00000000F001}294878.33.251.142.in-addr.arpa.0type: 12 sea09s28-in-f14.1e100.net;C:\Windows\sysmon64.exe 22542200x80000000000000007549138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.184{4DF467A6-4079-613A-86FA-00000000F001}5896adservice.google.com0142.251.33.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.183{4DF467A6-4079-613A-86FA-00000000F001}5896adservice.google.com0::ffff:142.251.33.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.156{4DF467A6-4079-613A-86FA-00000000F001}5896plus.l.google.com02607:f8b0:400a:80b::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:08.155{4DF467A6-4079-613A-86FA-00000000F001}5896plus.l.google.com0142.251.33.78;C:\Program Files\Mozilla Firefox\firefox.exe 12241200x80000000000000007549134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.116{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:27.116{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007549132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.021{4DF467A6-4079-613A-86FA-00000000F001}58967296C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a21091|C:\Program Files\Mozilla Firefox\xul.dll+a823a5|C:\Program Files\Mozilla Firefox\xul.dll+d0071|C:\Program Files\Mozilla Firefox\xul.dll+1a10832|C:\Program Files\Mozilla Firefox\xul.dll+1760c7d|C:\Program Files\Mozilla Firefox\xul.dll+168b9e5|C:\Program Files\Mozilla Firefox\xul.dll+26562|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+8ce637|C:\Program Files\Mozilla Firefox\nss3.dll+77d1d|C:\Program Files\Mozilla Firefox\nss3.dll+8ec01|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.002{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:27.001{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-9145-613B-7922-01000000F001}7052C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:27.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5339BEFD2307EE76D501FB0EC9431C67,SHA256=C7A640AF196ECB6971AC73E2FED3D6DF3A46667A918259189182432D9DBD5397,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007549350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007549349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.729{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B60FD856F328D1260D60E4773798F8FD,SHA256=B46AC4360ABD11CA452A74B6B649B6ED12D9EEFD4C4B23D4588DB3F92E3373BFfalsetrue 10341000x80000000000000007549348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.550{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.550{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.498{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.494{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.494{4DF467A6-4079-613A-86FA-00000000F001}58967184C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e20|C:\Program Files\Mozilla Firefox\firefox.exe+37d16|C:\Program Files\Mozilla Firefox\firefox.exe+492f0|C:\Program Files\Mozilla Firefox\firefox.exe+48fec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 24542400x80000000000000007549343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.478{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=830CCF4EE263BEF0B974DA9C6F5A6D2F,SHA256=1C0768D614294FDC1ECA0D02B2578B0B6BCD779D6E3786764818B2A008838404true 10341000x80000000000000007549342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.478{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.478{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007549340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.478{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-830CCF4EE263BEF0B974DA9C6F5A6D2F1C0768D614294FDC1ECA0D02B2578B0B6BCD779D6E3786764818B2A0088384042021-09-10 17:09:28.478 10341000x80000000000000007549339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.478{4DF467A6-3F58-6132-2B00-00000000F001}29483972C:\Windows\sysmon64.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007549338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6274273C80143E2623C5A3C6375AC5DE,SHA256=48407CFA94E5D6D4BABA0E2DC939D24FAEFF880432FD792A5EF8D32BC1F06A5Dfalsetrue 11241100x80000000000000007549336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C097D7B9AAEFA30D52850677E482D,SHA256=BE32A51D525D3AA68EB5ED67D5D2A36108F694DA313AF1CEEE432212F85D33B7falsetrue 354300x80000000000000002131700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:20.047{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62370-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:28.327{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CB6760CAECFDCF662E62E2ADCA2D89,SHA256=60500896D4169B827054DCC4AFED82D1B4F91AC95A2AA7F86B79AB2DEE9BCE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:28.327{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0D47A3743280364E090E0896F8342AD,SHA256=7027DA164180F5391E3EE6C31EC14462439D281E925FA6396B0ACB9BB58980F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:28.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C6CACD0BCA5BF257CCD9A114F7FC36,SHA256=9A7B0AE6311ACE61DCEAE9DB19E9B6BDE0763CE0995931A9F6B116B2CF1D335A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007549393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.988{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.988{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000007549391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:11.093{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56774-false10.0.1.12-8000- 11241100x80000000000000007549390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.692{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\8CD5F02F363C1E9B394C2AFA897C9973DEB4E9752021-09-10 17:09:29.692 12241200x80000000000000007549389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.668{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.668{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.656{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.656{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.652{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.652{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007549383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.507{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+c096d3|C:\Program Files\Mozilla Firefox\xul.dll+c130c0|C:\Program Files\Mozilla Firefox\xul.dll+f8b298|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152|C:\Program Files\Mozilla Firefox\xul.dll+1aff557|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0 11241100x80000000000000007549382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.451{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EA26F8F931DA2D3E81CA3D45A5DFD5C,SHA256=52AE760612A2166AEF726E3BC6D676B91CDCDED12FAE25C2313EBDD7A3C4486Efalsetrue 10341000x80000000000000007549380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}12481776C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}12481776C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007549378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.351{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007549365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.347{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 11241100x80000000000000007549364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.219{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\38A9CEED2F2E5A5370E07E0A1CAAC25782AA807B2021-09-10 17:09:29.219 12241200x80000000000000007549363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.199{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:29.199{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007549361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\5EBE123BB4A5E0C9F3825D92AE5A34F4BA6D0CE22021-09-10 17:09:29.163 11241100x80000000000000007549360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\268859AF662F48A33B25844ED36058BF50F598492021-09-10 17:09:29.163 11241100x80000000000000007549359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\67FA364673709B2531102838492206F0C3153D8C2021-09-07 16:46:51.889 11241100x80000000000000007549358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\6E83CD15579A8C5413EB9230549F8A32509484242021-09-07 16:46:48.096 23542300x80000000000000007549357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\1MD5=0DDAFFE07D1F9AA0F56084BDA0214D1A,SHA256=0E976957EB6937363F2EDAFCB4B78F0DB3EEF302610815ACF0A60FA70E0370CCfalsetrue 23542300x80000000000000007549356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.163{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\32544MD5=278B9ED4104500B5A318FD8ED6F84BD7,SHA256=30EC9C3DD1B61FBDA1FEE299863C69079B2A6BB2C1CF2459BD3A8F942CAF1AD8falsetrue 23542300x80000000000000007549355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.159{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\21916MD5=4C730499A58646A64933E2D233C1AC8C,SHA256=D9115FC050C9154E0A5B8539779C31CB91C1DC8F2B1E2287A4C6C20AAD157F31falsetrue 23542300x80000000000000007549354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.159{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\3557MD5=6B82F1AF0153B642B01279C11E5180A3,SHA256=920E0DE209C3C89A47FBDCF742F7F04AEE565A52CBAE3CE9E4D5BFEF5DBF0AA3falsetrue 23542300x80000000000000007549353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.097{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9926MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007549352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.096{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99262021-09-10 17:09:29.096 11241100x80000000000000007549351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.095{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99272021-09-10 17:09:29.095 23542300x80000000000000002131701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:29.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32D19A81BB734F94CDCEE8410AA07E6,SHA256=5491509585C8DFAEBCF4470309492EC881B27FAD42E8A1AAD7A2BAFC26E94C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007549536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.909{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.909{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 11241100x80000000000000007549534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D1E89FA9290525FE55CC675425B0245,SHA256=1BB5714C7014B49F2C0640ADB992E4C13DD75690D61793811EFC1155F2D36A87falsetrue 12241200x80000000000000007549532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007549530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.337{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\EsdSip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying .esd Electronic Software Distribution filesMicrosoft® Windows® Operating SystemMicrosoft CorporationESDSIP.DLLMD5=CDF191FF99AF7729029F5E098FF7D819,SHA256=53A7D390A146F888AF5FE3F1EF3859ECC58D9E0EA3AE27FDDF281CE14691568DtrueMicrosoft WindowsValid 12241200x80000000000000007549529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.344{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007549503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.336{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 12241200x80000000000000007549502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.340{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.337{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.335{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007549477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.334{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 12241200x80000000000000007549476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007549475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.316{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 12241200x80000000000000007549474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.324{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007549444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.312{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 12241200x80000000000000007549443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.320{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.312{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.312{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.308{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x80000000000000007549421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.308{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007549420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.248{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\82ECB0F8426E5842E68C9F765B261AB51591F80E2021-09-10 17:09:30.248 10341000x80000000000000007549419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.232{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.232{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 12241200x80000000000000007549417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.220{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:30.220{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007549415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.200{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b83889|C:\Program Files\Mozilla Firefox\xul.dll+b9347a|C:\Program Files\Mozilla Firefox\xul.dll+b6c6f9|C:\Program Files\Mozilla Firefox\xul.dll+b865f0|C:\Program Files\Mozilla Firefox\xul.dll+1a6136c|C:\Program Files\Mozilla Firefox\xul.dll+19664b2|C:\Program Files\Mozilla Firefox\xul.dll+19647ed|C:\Program Files\Mozilla Firefox\xul.dll+1960267|C:\Program Files\Mozilla Firefox\xul.dll+1b64910|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa 10341000x80000000000000007549413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.192{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 13241300x80000000000000007549404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:30.192{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:30.192{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\308046O0NS4N39POBinary Data 10341000x80000000000000007549402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.188{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.172{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+ee8a4e|C:\Program Files\Mozilla Firefox\xul.dll+28d612|C:\Program Files\Mozilla Firefox\xul.dll+28c91f|C:\Program Files\Mozilla Firefox\xul.dll+28c70a|C:\Program Files\Mozilla Firefox\xul.dll+f01b95|C:\Program Files\Mozilla Firefox\xul.dll+18d51bb|C:\Program Files\Mozilla Firefox\xul.dll+1b08c32|C:\Program Files\Mozilla Firefox\xul.dll+1b08ea1|C:\Program Files\Mozilla Firefox\xul.dll+1b0b23b|C:\Program Files\Mozilla Firefox\xul.dll+178f73f|C:\Program Files\Mozilla Firefox\xul.dll+1afe9d3|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e|C:\Program Files\Mozilla Firefox\xul.dll+f2cb7f|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e 10341000x80000000000000007549400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.172{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+ee8a27|C:\Program Files\Mozilla Firefox\xul.dll+28d612|C:\Program Files\Mozilla Firefox\xul.dll+28c91f|C:\Program Files\Mozilla Firefox\xul.dll+28c70a|C:\Program Files\Mozilla Firefox\xul.dll+f01b95|C:\Program Files\Mozilla Firefox\xul.dll+18d51bb|C:\Program Files\Mozilla Firefox\xul.dll+1b08c32|C:\Program Files\Mozilla Firefox\xul.dll+1b08ea1|C:\Program Files\Mozilla Firefox\xul.dll+1b0b23b|C:\Program Files\Mozilla Firefox\xul.dll+178f73f|C:\Program Files\Mozilla Firefox\xul.dll+1afe9d3|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e|C:\Program Files\Mozilla Firefox\xul.dll+f2cb7f|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e 10341000x80000000000000007549399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.172{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+ee89fc|C:\Program Files\Mozilla Firefox\xul.dll+28d612|C:\Program Files\Mozilla Firefox\xul.dll+28c91f|C:\Program Files\Mozilla Firefox\xul.dll+28c70a|C:\Program Files\Mozilla Firefox\xul.dll+f01b95|C:\Program Files\Mozilla Firefox\xul.dll+18d51bb|C:\Program Files\Mozilla Firefox\xul.dll+1b08c32|C:\Program Files\Mozilla Firefox\xul.dll+1b08ea1|C:\Program Files\Mozilla Firefox\xul.dll+1b0b23b|C:\Program Files\Mozilla Firefox\xul.dll+178f73f|C:\Program Files\Mozilla Firefox\xul.dll+1afe9d3|C:\Program Files\Mozilla Firefox\xul.dll+f2caa0|C:\Program Files\Mozilla Firefox\xul.dll+f2c915|C:\Program Files\Mozilla Firefox\xul.dll+f2c457|C:\Program Files\Mozilla Firefox\xul.dll+f2bf1e|C:\Program Files\Mozilla Firefox\xul.dll+f2cb7f|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e 11241100x80000000000000007549398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.144{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\lEZoVjPj.rar.part2021-09-10 17:09:30.144 23542300x80000000000000007549397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.144{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\lEZoVjPj.rar.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007549396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.144{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\lEZoVjPj.rar.part2021-09-10 17:09:30.144 11241100x80000000000000007549395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.144{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\lEZoVjPj.rar2021-09-10 17:09:30.144 23542300x80000000000000007549394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:30.096{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9927MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000002131702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:30.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4D03FDF60A6621F83238C1CEC5EF0B,SHA256=32B64F7B30CBCADB938776B1922972F90244D28FB23980D9D77DB1A0FAC2F37B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007549558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.990{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+c12673|C:\Program Files\Mozilla Firefox\xul.dll+c11d1a|C:\Program Files\Mozilla Firefox\xul.dll+c096d3|C:\Program Files\Mozilla Firefox\xul.dll+c130c0|C:\Program Files\Mozilla Firefox\xul.dll+fc7b29|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+ff4c6e|C:\Program Files\Mozilla Firefox\xul.dll+1a6267a|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d|C:\Program Files\Mozilla Firefox\xul.dll+ec8eaa|C:\Program Files\Mozilla Firefox\xul.dll+ec8a6c|C:\Program Files\Mozilla Firefox\xul.dll+2bb152 11241100x80000000000000007549557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.986{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\CVE-2021-40444.rar2021-09-10 17:09:31.986 354300x80000000000000007549556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.889{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57145- 354300x80000000000000007549555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.871{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56776-false23.53.122.71a23-53-122-71.deploy.static.akamaitechnologies.com80http 354300x80000000000000007549554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.862{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57145- 354300x80000000000000007549553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.861{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60118- 354300x80000000000000007549552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.859{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60775- 354300x80000000000000007549551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.760{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56775-false198.251.80.64-443https 354300x80000000000000007549550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.737{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58715- 22542200x80000000000000007549549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:13.531{4DF467A6-4079-613A-86FA-00000000F001}5896vx-underground.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.838{4DF467A6-4079-613A-86FA-00000000F001}5896r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.53.122.71;23.53.122.77;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.714{4DF467A6-4079-613A-86FA-00000000F001}5896vx-underground.org0198.251.80.64;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007549546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:12.713{4DF467A6-4079-613A-86FA-00000000F001}5896vx-underground.org0::ffff:198.251.80.64;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000007549545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.253{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.205{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.189{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.141{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.141{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.105{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.105{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.085{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 10341000x80000000000000007549537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.081{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 23542300x80000000000000002131704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:31.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF2D3FFB56F7A65700919EDDE0452AC,SHA256=7ED5F8AAD2B5209FA8344119078CC705C4F03EADD762A6CDE68311414981B0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:31.133{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5CF4122F04DA034924AA4D3611CA7FB1,SHA256=BF4758493C6FBDC46531DD232D847FC379A95F523DE0027B39FC9BACE8FF26DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007549590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C11ABA4E5EB87DE09951F8F44656A158,SHA256=F4EDFACCB26C98B887D41B2960CC979F8DC92E3F42E70584D9E5F77E13345369falsetrue 13241300x80000000000000007549588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:32.066{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C01E0\VirtualDesktopBinary Data 12241200x80000000000000007549587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:32.066{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C01E0 15241500x80000000000000007549586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.046{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\CVE-2021-40444.rar:Zone.Identifier2021-09-10 17:09:30.144MD5=1B2FB94E0E904B98D42111B9B072F757,SHA256=5F0008A22230117CC6E59010CAB628ABA1333420BA237737C0077DA42E8633AD[ZoneTransfer] ZoneId=3 HostUrl=https://vx-underground.org/tmp/CVE-2021-40444.rar 11241100x80000000000000007549585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.046{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\CVE-2021-40444.rar:Zone.Identifier2021-09-10 17:09:30.144 15241500x80000000000000007549584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.027{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\CVE-2021-40444.rar2021-09-10 17:09:30.144MD5=9E8FCC96F97530075A73156E61CA32AE,SHA256=D9335855BC3DCCD3BE647E360A38B28D0F4BE641C18C3AA0BCBC9022D0D33FDD- 13241300x80000000000000007549583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:32.039{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-45-f5-6b-ce-b9\WpadDecisionDWORD (0x00000000) 13241300x80000000000000007549582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:32.039{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-45-f5-6b-ce-b9\WpadDecisionTimeBinary Data 13241300x80000000000000007549581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:32.038{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-45-f5-6b-ce-b9\WpadDecisionReasonDWORD (0x00000001) 12241200x80000000000000007549580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:32.038{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-45-f5-6b-ce-b9 10341000x80000000000000007549579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.029{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007549578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:32.026{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 10341000x80000000000000007549577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.022{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.022{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.022{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007549574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:32.022{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007549573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:32.018{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b80548|C:\Program Files\Mozilla Firefox\xul.dll+19e742e|C:\Program Files\Mozilla Firefox\xul.dll+168b684|C:\Program Files\Mozilla Firefox\xul.dll+1a11aac|C:\Program Files\Mozilla Firefox\xul.dll+a0a49f|C:\Program Files\Mozilla Firefox\xul.dll+2642e|C:\Program Files\Mozilla Firefox\xul.dll+1a1028|C:\Program Files\Mozilla Firefox\xul.dll+19fedf|C:\Program Files\Mozilla Firefox\xul.dll+41ed1ea|C:\Program Files\Mozilla Firefox\xul.dll+4258fcd|C:\Program Files\Mozilla Firefox\xul.dll+4259c43|C:\Program Files\Mozilla Firefox\xul.dll+1efd6f3|C:\Program Files\Mozilla Firefox\firefox.exe+5c1d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007549572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\308046O0NS4N39POBinary Data 10341000x80000000000000007549570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:31.998{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007549569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SpringsCSSSpanBinary Data 13241300x80000000000000007549568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|SearchbarCSSSpanBinary Data 13241300x80000000000000007549567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|UrlbarCSSSpanBinary Data 13241300x80000000000000007549566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|CssToDevPixelScalingBinary Data 13241300x80000000000000007549565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|FlagsDWORD (0x00000002) 13241300x80000000000000007549564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|MaximizedDWORD (0x00000001) 13241300x80000000000000007549563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|HeightDWORD (0x000003cf) 13241300x80000000000000007549562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|WidthDWORD (0x00000510) 13241300x80000000000000007549561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenYDWORD (0x00000013) 13241300x80000000000000007549560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings\C:\Program Files\Mozilla Firefox\firefox.exe|ScreenXDWORD (0x00000166) 12241200x80000000000000007549559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:31.998{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings 23542300x80000000000000002131705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:32.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F08818828716794D0649DFAD7A6AA4D,SHA256=30BFEF62FA8A7EB7E57752F083D8F905A45AFF4E612ABE73A6F498F0694FF020,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007549608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.896{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62716- 354300x80000000000000007549607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.895{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50426- 354300x80000000000000007549606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.627{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49258- 354300x80000000000000007549605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.601{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49258- 22542200x80000000000000007549604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:14.668{4DF467A6-3F58-6132-2B00-00000000F001}294864.80.251.198.in-addr.arpa.0type: 12 vx-underground.org;C:\Windows\sysmon64.exe 11241100x80000000000000007549603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:33.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007549602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:33.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DBAA0DF203A17F78BFCC65B68F13D266,SHA256=5944D2B16F6E9F8BA8742CAA6ED5155266FEF6DABBACDFE809041D5D94B42902falsetrue 11241100x80000000000000007549601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:33.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007549600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:33.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C518A1CB6C3F85C1AA43B5A5B824E5C,SHA256=2035512210664F7C59B211685227D1FB5AD88DA332FA194B9FAC0249B0A78222falsetrue 11241100x80000000000000007549599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:33.359{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\005068862E3A604036BE4810F347ABE730C415AD2021-09-10 17:09:33.359 12241200x80000000000000007549598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:33.341{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007549597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:33.341{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000007549596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:33.333{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBarBinary Data 13241300x80000000000000007549595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:33.323{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 13241300x80000000000000007549594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:33.323{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:33.323{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\308046O0NS4N39POBinary Data 12241200x80000000000000007549592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:33.323{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007549591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:33.319{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 23542300x80000000000000002131706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:33.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB82109F7E0668781DB50D7C0BB1B59,SHA256=617804F8DC85A5157ED6C31DBDB00778A257E40553DD0EFF07F0963D801A7FF6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007549684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\SniffedFolderTypeDocuments 12241200x80000000000000007549676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell 12241200x80000000000000007549675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000007549632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000007549631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007549630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000007549629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000007549628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000007549627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000007549626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x80000000000000007549625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000007549624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000007549623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000007549622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007549621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000007549620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\58\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000007549619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 12241200x80000000000000007549618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 13241300x80000000000000007549615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 12241200x80000000000000007549614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:34.988{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 11241100x80000000000000007549609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.660{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\entries\0F71EFAAB966C8556A9DDB3EB4F37FEBE7D0F1952021-09-10 17:09:34.660 354300x80000000000000002131710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:25.824{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62371-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:34.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA0A5BC9F1D1964CD386F979C0957BF,SHA256=9C243E2736DC46DB62B5897027316F7D28B032CB8E864138B34C62A2A4008605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:34.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FEA214E355C5E00A1F1A80C2A8C814,SHA256=15084FD66B85570465CA30C227EAC6F76D7853253605EA435653CE8801EF0918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:34.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CB6760CAECFDCF662E62E2ADCA2D89,SHA256=60500896D4169B827054DCC4AFED82D1B4F91AC95A2AA7F86B79AB2DEE9BCE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007549718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:17.099{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56777-false10.0.1.12-8000- 11241100x80000000000000007549717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=293453E8FD61B99A46BF0028393C6990,SHA256=054C96FDDAA652261A18224420BCDB121F5DCBF2CD589743514CA6BC97F5880Cfalsetrue 11241100x80000000000000007549715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4C4DCBA78CD6233EDA9578222668DD,SHA256=EB5F351559C05DF15A6D90D68BD6E0501669E3CA5B616DA2005B0E5332D0C495falsetrue 12241200x80000000000000007549713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.036{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007549712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.036{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007549711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 12241200x80000000000000007549710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 12241200x80000000000000007549707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 12241200x80000000000000007549701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.033{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 12241200x80000000000000007549698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.028{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007549692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.024{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007549691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.008{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.008{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.008{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000007549688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.000{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007549687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.000{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007549686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:35.000{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007549685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:35.000{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 23542300x80000000000000002131711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:35.307{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC99FA831718AE1860080F1D5A60EED,SHA256=7D1076766F421174201D620A339EA3B34AA7CC94214B77A28554B741F30CC3B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007549790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.574{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000007549789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.470{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007549788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.470{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007549787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.458{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.454{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.454{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000007549784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.446{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007549783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.446{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007549782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.446{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007549781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.446{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000007549780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.442{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007549779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.442{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007549777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\SniffedFolderTypeDocuments 12241200x80000000000000007549772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell 12241200x80000000000000007549771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007549770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.441{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007549768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007549763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007549761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007549756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.440{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007549754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007549750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007549749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListExBinary Data 12241200x80000000000000007549747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007549746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000007549741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000007549740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007549739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000007549738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000007549737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000007549736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000007549735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007549734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000007549733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000007549732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000007549731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007549730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000007549729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000007549728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 12241200x80000000000000007549727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.439{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007549726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.438{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 13241300x80000000000000007549725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.438{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007549724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.438{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007549723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.438{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007549722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:36.438{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007549721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.326{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007549720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:36.326{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x80000000000000007549719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.213{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x80000000000000002131712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:36.326{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483344F68A272C3FAEC390A398FCA1E2,SHA256=BCC699A6A9F7464FEB4DCB4C467E12504D9AFF0D9C0289E70EDD64884CD52DF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007549799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=541A9F33F7F6644A6E17DCE2F4B42B5E,SHA256=2F889BAFC35100E8B89DECBAA2658A512A68AA34944BB66226FD3F5FA622510Bfalsetrue 354300x80000000000000007549797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.444{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56778-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000007549796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:19.444{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56778-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 18141800x80000000000000007549795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:37.651{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000007549794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.286{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007549793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.286{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007549792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.286{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DD6B464451B534EAAB7DF0915D1C4F,SHA256=825644A874B00B35718B21F776B0DC07CCA050AC0D2AF110F3AD6A0E62296A6Cfalsetrue 23542300x80000000000000007549791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2969AC4A000799D85237ABB18A7BAABA,SHA256=C8EB58F6C218D815889F4C5534E0569CD16D3EE4AF6D90C19D68E65A1875ACD0falsetrue 23542300x80000000000000002131713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:37.328{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793D63DDAE0633E9394E567A52898EAA,SHA256=3C5DB27BF227A7ADFA134A3858F5CC937D2DFED0253107B648AD6BA95BC2E9BB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007549805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:38.952{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007549804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:38.952{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 11241100x80000000000000007549803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0A3520B3B1A740E51A8BBAA811D89F,SHA256=E0327F2C4F712A3461951916EFDF93E5CD3596A3D990B6D579DDF932CBFBF4F5falsetrue 23542300x80000000000000007549801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.287{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\32673MD5=7DDBD3A87C57D83A410AD3D8DF05E9C6,SHA256=86EC01D2306BE1906E4C737EE5A590D2DA02E831B857E2BD8A2A8445F0442C4Ffalsetrue 23542300x80000000000000007549800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.287{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\cache2\doomed\23115MD5=A2EE44CFFD12E2EA41428B932C57C502,SHA256=EAB4E7FC34628D906EAD8D39C690BEE8EAB189ED94348F15D736D7B1D618B9C3falsetrue 23542300x80000000000000002131714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:38.345{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2396BFD84960DDC4364B8B54E8B2D243,SHA256=54BDE8251319F05B6F5139902701596D06925EC4FBDEDC22ABA42F4922E6C391,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007549959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007549958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.824{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8trueMicrosoft WindowsValid 12241200x80000000000000007549957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.848{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.847{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.847{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.820{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0trueMicrosoft WindowsValid 12241200x80000000000000007549931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.846{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.845{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.844{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.820{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.820{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007549902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.800{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=0B283806F6BEEE6509E9F8C3FCA10286,SHA256=4DC982EC3F8B81CF8BF0F56ED5CEF628C28A1620CC12B94CAFADCD7CE684B6E2trueMicrosoft WindowsValid 12241200x80000000000000007549901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.808{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.800{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.800{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.616{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20trueMicrosoft WindowsValid 12241200x80000000000000007549877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.624{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.620{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007549853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.620{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007549852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.620{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.620{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.612{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6AtrueMicrosoft WindowsValid 12241200x80000000000000007549849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007549848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007549847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007549846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007549844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007549830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007549829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007549828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007549827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007549826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.616{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007549825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.616{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007549824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.612{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007549823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.612{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007549821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.608{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.608{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007549819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886EtrueMicrosoft WindowsValid 12241200x80000000000000007549818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList 12241200x80000000000000007549817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007549816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007549815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.592{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.588{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.588{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.588{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.588{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007549808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:39.588{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 11241100x80000000000000007549807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADA6FAB55EACD981CD6636B03A72513,SHA256=454119DDC954C69DBE069BC1E8EA0FD5895D7C29F08D70D56010851E36FF0DB4falsetrue 354300x80000000000000002131718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:30.903{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62372-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:39.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF58BE7A552011247002082A011F5D9C,SHA256=F21D17DF8E82B74C12CAABE8BCFB9D4A2A820E87DF464A2907B5474C01BDFC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:39.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1118CF66612829647A6DC58E771D2F8,SHA256=9D7D4FA414E8FE68B457F16CB33DBDF870F620E8A220D2C79EF2BBCD5FA04DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:39.278{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FEA214E355C5E00A1F1A80C2A8C814,SHA256=15084FD66B85570465CA30C227EAC6F76D7853253605EA435653CE8801EF0918,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007549961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:40.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:40.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE578C9BA861528D137155B36244086B,SHA256=8F0ED4FF5208BE8D11FADEB8973FF56A3FFD264C78C7C3B14009CDFC4F815E6Bfalsetrue 23542300x80000000000000002131719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:40.379{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BB30425305A405B37927C5139FA057,SHA256=142B9E9A8B3744B24B395D533D5FD867D2EE37244C81AA85CC2FD2EA3B910D14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007549967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:22.912{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56779-false10.0.1.12-8000- 11241100x80000000000000007549966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:41.536{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:41.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF5832BDDC0A904710313A20F9A26C3,SHA256=91A48E86E92D09908437381D3E9294FA2E5649265B8D32E9DA6761D1A8C21BCDfalsetrue 11241100x80000000000000007549964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:41.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007549963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:41.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D172742777BDD7418C86632D44268E2,SHA256=702E1C29945D92DA421BDD50020D1B95C53ED73F1659916B0EC76B12E972D732falsetrue 11241100x80000000000000007549962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:41.149{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\sessionstore-backups\recovery.jsonlz4.tmp2021-09-10 17:09:41.149 23542300x80000000000000002131720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:41.382{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F9B82C738F8F1A532103BF16D782F2,SHA256=C0BE684E12AA202ADD746DD11039789D71CD8BEB4F723D7B9193241AD9882935,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007550100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.863{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007550099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.863{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007550098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2666B8CD17866C2E9BB4ACA608E72CB3,SHA256=3366A6BE0242CF670F70619DE25FA4B356D6498456F7021DBF6E18C5E603B632falsetrue 13241300x80000000000000007550096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:42.483{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007550095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:42.483{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x80000000000000007550094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.411{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8trueMicrosoft WindowsValid 12241200x80000000000000007550093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007550091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007550090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.463{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.459{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 534500x80000000000000007550069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.459{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe 10341000x80000000000000007550068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.447{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007550067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:42.447{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 10341000x80000000000000007550066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.446{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.445{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.444{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.444{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.444{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007550061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.431{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Photos\template_loading.png2021-09-10 17:09:42.431 11241100x80000000000000007550060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.431{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Photos\Remote_Template_Injection.jpg2021-09-10 17:09:42.431 11241100x80000000000000007550059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.427{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Photos\mhtml.png2021-09-10 17:09:42.427 734700x80000000000000007550058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.427{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 11241100x80000000000000007550057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.427{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Photos\exploit.JPG2021-09-10 17:09:42.427 11241100x80000000000000007550056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.427{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Photos2021-09-10 17:09:42.427 11241100x80000000000000007550055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.427{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Malware Sample\side.html2021-09-10 17:09:42.427 734700x80000000000000007550054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.423{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 11241100x80000000000000007550053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.423{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Malware Sample\ministry.cab2021-09-10 17:09:42.423 11241100x80000000000000007550052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.423{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\Malware Sample2021-09-10 17:09:42.423 11241100x80000000000000007550051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.423{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Scripts\Version 3.html2021-09-10 17:09:42.419 11241100x80000000000000007550050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Scripts\Version 2.html2021-09-10 17:09:42.419 11241100x80000000000000007550049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Scripts\Version 1.html2021-09-10 17:09:42.419 11241100x80000000000000007550048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Scripts2021-09-10 17:09:42.419 11241100x80000000000000007550047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx2021-09-10 17:09:42.419 11241100x80000000000000007550046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx2021-09-10 17:09:42.419 11241100x80000000000000007550045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.419{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx2021-09-10 17:09:42.415 11241100x80000000000000007550044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.415{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx2021-09-10 17:09:42.415 11241100x80000000000000007550043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.415{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs2021-09-10 17:09:42.415 11241100x80000000000000007550042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.415{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\CVE-2021-404442021-09-10 17:09:42.415 12241200x80000000000000007550041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.415{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007550040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.411{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.367{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7z.dll19.007z Plugin7-ZipIgor Pavlov7z.dllMD5=72491C7B87A7C2DD350B727444F13BB4,SHA256=34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891false-Unavailable 734700x80000000000000007550038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.375{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000007550037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.371{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.371{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 12241200x80000000000000007550035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.371{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007550034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:42.363{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001503C6\VirtualDesktopBinary Data 12241200x80000000000000007550033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.363{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001503C6 12241200x80000000000000007550032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007550030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007550029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007550028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.338{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6trueMicrosoft WindowsValid 12241200x80000000000000007550027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007550007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.349{4DF467A6-3F48-6132-1600-00000000F001}12487400C:\Windows\system32\svchost.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.349{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.348{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007550004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.346{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007550003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.344{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.344{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.344{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.343{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007549999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.343{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007549998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.342{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007549997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.342{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007549996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.342{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007549995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.341{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007549994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.341{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007549993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.341{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007549992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.341{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000007549991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007549990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.338{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007549988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exeMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEFfalse-Unavailable 734700x80000000000000007549987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007549986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007549985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007549984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007549983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007549982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007549981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007549980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.331{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007549979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007549978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000007549977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007549976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007549975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007549974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.326{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007549973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:42.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007549972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.322{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007549971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.322{4DF467A6-3EE5-613A-21FA-00000000F001}24283628C:\Windows\explorer.exe{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x80000000000000007549970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.313{4DF467A6-9156-613B-7A22-01000000F001}8112C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\" -an -ai#7zMap7330:106:7zEvent5574C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 11241100x80000000000000007549969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007549968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F039B0ACD52C14FA87B309E8F0DC34C,SHA256=320C8F42067EAFB602C6DFCB4817C41F0E2273ED7D4F8CFC84948A04380E0D02falsetrue 23542300x80000000000000002131721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:42.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6793DBE251AC46BFDEE3020191C304D6,SHA256=C502DE01A2ED68EE79396EC1128302C711E3EACB45FBE66BF4B46AC0420543B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007550102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:43.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007550101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:43.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47D2FE188FD2F204D8BCD447A92E034E,SHA256=C89A7E9B822906B9AC7D68B08B430ED4BC3E8A0636E043FAFFD375EBDC6866A4falsetrue 23542300x80000000000000002131722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:43.422{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAB1DCC780E4D3EFE3A629845A34BCA,SHA256=D616048FB88CD4F744BC93DF2985AD40AAB5885F1306758331CE5C9E49DDEC21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007550225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.733{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56780-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007550224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:25.732{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56780-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000007550223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82266686B07DA0E942485ED0C5466B44,SHA256=225B2E7BB0D152E69ECFE1284D5A52D4DE5267D8705813BAFCDDD97C2D13F3FAfalsetrue 534500x80000000000000007550221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.897{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007550220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.897{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007550219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.897{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.897{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 13241300x80000000000000007550217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000007550216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell 12241200x80000000000000007550215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60 12241200x80000000000000007550214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000007550213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\MRUListExBinary Data 13241300x80000000000000007550212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\NodeSlotDWORD (0x0000003c) 13241300x80000000000000007550211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000007550210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\MRUListExBinary Data 12241200x80000000000000007550209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 13241300x80000000000000007550208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1Binary Data 12241200x80000000000000007550207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.847{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.846{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.846{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.846{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.846{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.846{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.845{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 734700x80000000000000007550190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.769{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 12241200x80000000000000007550189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007550187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007550186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.773{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007550166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.769{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 12241200x80000000000000007550165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:44.769{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.765{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:44.765{4DF467A6-9158-613B-7B22-01000000F001}7940\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007550162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.765{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:44.761{4DF467A6-9158-613B-7B22-01000000F001}7940\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007550160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.761{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.761{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.761{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.761{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.753{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007550155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.753{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.753{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.753{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.752{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.752{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.751{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.750{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.750{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 11241100x80000000000000007550147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031DABDF355DF23A52B06D9AC50135F9,SHA256=76D125A8F850502D65F669640A271DE65FECCF09E9BB13CB73834F4CDA77530Cfalsetrue 734700x80000000000000007550145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.748{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.747{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.747{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.747{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.747{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.746{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.746{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.746{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.745{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.745{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.745{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.745{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.745{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007550130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007550128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007550127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.744{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007550126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.743{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007550125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.743{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.743{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.742{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 11241100x80000000000000007550122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B603B940952B67961061F26125B2FD3,SHA256=FC2444D92E9C06010866F30F557D6D93CD8D2E95D6538CE3453348955058AE06falsetrue 10341000x80000000000000007550120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.742{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.741{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.741{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x80000000000000007550117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007550116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79341842F1A7C06237D7A5479A57343E,SHA256=824E1480E7802821497E4834BAD0B9DA92E2AF54627D4F44A9B2BE237CA17739falsetrue 734700x80000000000000007550115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.740{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.740{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007550113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.739{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.738{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.722{4DF467A6-9158-613B-7B22-01000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:44.721{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007550104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B27777AD01512BB8B8A09AAED0183D3,SHA256=6CBB97CB8190C30BEC606213341791AA8679F9BC633DFE2E81F59D504B1AF372falsetrue 23542300x80000000000000002131725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:44.424{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44551B3776D69E56B4FC6B27DF6A0758,SHA256=8BBB7E6AD18E0A8C4A6B50513014735AA316C66E37EE7F989938BE052C087BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:44.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=007F6133E36F97AB3D5CCADC2E1604E2,SHA256=0903DD0C7F56328FAFD28903C94877349C344E9057E624608C8BAE535D5FE423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:44.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1118CF66612829647A6DC58E771D2F8,SHA256=9D7D4FA414E8FE68B457F16CB33DBDF870F620E8A220D2C79EF2BBCD5FA04DE5,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007550369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.529{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.529{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007550367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.529{4DF467A6-9159-613B-7C22-01000000F001}81405312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.529{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.529{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007550364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.409{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.405{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.397{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007550327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007550324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.393{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007550322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.389{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.389{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.376{4DF467A6-9159-613B-7C22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:45.373{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000007550313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.161{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000100404\VirtualDesktopBinary Data 12241200x80000000000000007550312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.161{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000100404 13241300x80000000000000007550311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.139{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.139{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000007550305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007550287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007550286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.121{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007550285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.113{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007550284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.109{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007550283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.109{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000007550282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.097{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.097{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.093{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.093{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.089{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.089{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000007550276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.089{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.089{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000007550274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\SniffedFolderTypeGeneric 12241200x80000000000000007550273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007550255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000007550254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000007550253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007550252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000007550251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000007550250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000007550249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000007550248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007550247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000007550246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000007550245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000007550244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007550243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000007550242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\49\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000007550241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.081{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:45.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x80000000000000002131727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:45.441{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD7762F43CA877FC8937DA6B31408A2,SHA256=49FD82A94FB6E5A6E504C27166CA675CB77A23A4B43044D92436370AA4F37CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:35.974{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62373-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007550488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.834{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.834{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007550486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.834{4DF467A6-915A-613B-7E22-01000000F001}31404196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.834{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.834{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007550483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.770{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007550482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.770{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007550481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.710{4DF467A6-915A-613B-7E22-01000000F001}3140\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007550475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.706{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.706{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.706{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.706{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.702{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007550444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007550443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF135867BDA1716A8246C2096ECBF23A,SHA256=9B98418FB5332E5D629441C595EB88D170B3B5D332690B8F84E59D3F0E749DE3falsetrue 734700x80000000000000007550441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007550439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007550437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.694{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.680{4DF467A6-915A-613B-7E22-01000000F001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.678{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000007550428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.222{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007550427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.218{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007550426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.218{4DF467A6-915A-613B-7D22-01000000F001}47767236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.214{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.210{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007550423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007550419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007550417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.086{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.082{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.082{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.082{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.078{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007550387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007550385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.074{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007550382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.070{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.070{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007550380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.070{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.070{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.055{4DF467A6-915A-613B-7D22-01000000F001}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007550373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.054{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 18141800x80000000000000007550372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:46.054{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007550370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.054{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3962BB8B953712ED41177CB409C7AFB9,SHA256=87764007712518F3FEED2E6E1CF290EE155E440E0D5855534D337DC278B8A921falsetrue 23542300x80000000000000002131728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:46.442{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030D6BDCE18F6B79457C68461FD26BF0,SHA256=038D4E1BA58A5D0293F2A5EBCC21861874DEE39916CA3408D24533EACEC1E0AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007550548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:28.116{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56781-false10.0.1.12-8000- 534500x80000000000000007550547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.649{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007550546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.648{4DF467A6-915B-613B-7F22-01000000F001}3003560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.647{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.647{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007550543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.523{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.523{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007550539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007550537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.519{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007550532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007550517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.511{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007550505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x80000000000000007550502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007550501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8AB231CE7E09EEEFF5D2D335A665CC,SHA256=CBD839708607C9376FDCF18586CA1EF3E225A08913CAD110939E01EDE61AD91Bfalsetrue 734700x80000000000000007550500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.503{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.503{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007550498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.503{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.503{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:47.488{4DF467A6-915B-613B-7F22-01000000F001}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:47.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 12241200x80000000000000007550489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:47.043{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 23542300x80000000000000002131729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:47.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3525BDB64F81EB3EE698C6011B38E4C3,SHA256=E7D676FFD7B5316FB5D846F947C7301322F6D8D3DC1D8EE3949347B32DC9FE16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007550800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:29.635{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56782-false10.0.1.12-8089- 534500x80000000000000007550799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.920{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007550798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.920{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007550797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.920{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.916{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007550795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007550791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007550789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.792{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.788{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007550779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.784{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007550761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 11241100x80000000000000007550758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000007550757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 734700x80000000000000007550756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 23542300x80000000000000007550755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE76A001B3371C1D2E446F39DDAE9175,SHA256=480AB0EF5A4CE1AECFCFAAF11E3B78D0C73FC68098C6AFF17AFBED9A55796AD6falsetrue 23542300x80000000000000007550754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C21A1C5D83A7B1E72B20D2343862473A,SHA256=FC22269CE06AD34BC61B4A1B49E287970F6CC9815B532231FDC8B19C6C0A55BDfalsetrue 10341000x80000000000000007550753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.780{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007550752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007550750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007550748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.776{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.761{4DF467A6-915C-613B-8122-01000000F001}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.760{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000007550739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.520{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001001E6\VirtualDesktopBinary Data 12241200x80000000000000007550738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.520{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001001E6 13241300x80000000000000007550737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.488{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.488{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x80000000000000007550731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007550709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007550708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.476{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61\Shell\SniffedFolderTypeDocuments 13241300x80000000000000007550707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.464{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007550706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.464{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007550705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.464{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000007550704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.450{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.450{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.445{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x80000000000000007550701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.445{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x80000000000000007550700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.445{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.445{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000007550698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.444{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x80000000000000007550697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.444{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x80000000000000007550696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.436{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61\Shell\SniffedFolderTypeGeneric 12241200x80000000000000007550695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000007550673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x80000000000000007550672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x80000000000000007550671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007550670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x80000000000000007550669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x80000000000000007550668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x80000000000000007550667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x80000000000000007550666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007550665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x80000000000000007550664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x80000000000000007550663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x80000000000000007550662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x80000000000000007550661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x80000000000000007550660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\60\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x80000000000000007550659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.432{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 12241200x80000000000000007550645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 534500x80000000000000007550639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.236{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007550638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.236{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007550637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.236{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007550636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.236{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007550635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.224{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007550634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.224{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 13241300x80000000000000007550633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x80000000000000007550632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61\Shell 12241200x80000000000000007550631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\61 12241200x80000000000000007550630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x80000000000000007550629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0\MRUListExBinary Data 13241300x80000000000000007550628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0\NodeSlotDWORD (0x0000003d) 13241300x80000000000000007550627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x80000000000000007550626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\MRUListExBinary Data 12241200x80000000000000007550625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0 13241300x80000000000000007550624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1\0Binary Data 12241200x80000000000000007550623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 12241200x80000000000000007550621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x80000000000000007550620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000007550608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\1 12241200x80000000000000007550607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4 13241300x80000000000000007550606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x80000000000000007550605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x80000000000000007550604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000007550603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:48.220{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 734700x80000000000000007550602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007550601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007550600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007550599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007550598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007550597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.112{4DF467A6-915C-613B-8022-01000000F001}6312\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007550596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.108{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007550595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.108{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007550594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.108{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007550593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.108{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007550592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007550591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007550589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007550588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007550587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.104{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007550585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007550583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007550579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007550578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007550577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007550576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007550575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007550574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007550573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007550572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007550571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007550568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007550567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007550566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007550565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 11241100x80000000000000007550564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 10341000x80000000000000007550563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007550562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705720E36668B9604B2635E596B14ABB,SHA256=83A059E47A0BCBDB771F28522006D97959EE71D56BA2D33908E454D6D3F90EB7falsetrue 734700x80000000000000007550561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.100{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007550560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.096{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007550559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.096{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007550558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.096{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007550557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.096{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.096{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:48.081{4DF467A6-915C-613B-8022-01000000F001}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007550554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007550550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007550549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:09:48.080{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:48.461{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F678A0F3620D623A377E83FD549F546C,SHA256=405FF37178D8B2FCC847A085D6435A01727D447AF87B2E5A844C6FA7D52F3560,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007550832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007550830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007550829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.449{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll16.0.13801.20442Microsoft Office Shell Extension HandlersMicrosoft OfficeMicrosoft Corporationmsoshext.dllMD5=08AB004F0278B5B461F732D7740A5874,SHA256=A8C1819BFD9FAD66B3360E7757F63A18E1C7D961217B01DBD7C0764217D4027CtrueMicrosoft CorporationValid 12241200x80000000000000007550828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.461{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007550808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.455{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 734700x80000000000000007550807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.451{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 734700x80000000000000007550806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.450{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 11241100x80000000000000007550805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007550804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.449{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC5396EAFBEFD4C48B733BAD0987BE3,SHA256=AC44C070812AFD3D5914346A5C488DC1707AA44D4DE58E75FE89C774C50CECF0falsetrue 12241200x80000000000000007550803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.449{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007550802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.433{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:49.433{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 23542300x80000000000000002131731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:49.462{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416A69433D4EF0C0EFA92B5D1BBD2D15,SHA256=8D053F2C3B51006BF49E9380013BEB3F894644F794F26295BB1E3ECFBE848AE6,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007551114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.957{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 12241200x80000000000000007551113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.818{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.482{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000007551111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.482{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000007551110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.482{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000007551109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.482{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000007551108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.482{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+498a3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5206d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5132f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.470{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5eac4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5fb06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+178f5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000007551106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.470{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4177c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18b13|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18013|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19af2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x80000000000000007551105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.462{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8f4a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+822c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.462{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7ae3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007551103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.458{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 734700x80000000000000007551102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.458{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007551101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.456{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000007551100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.456{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000007551099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007551091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.418{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883trueMicrosoft WindowsValid 12241200x80000000000000007551090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.455{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000007551088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.455{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000007551081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.455{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.454{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007551072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.454{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007551071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.454{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007551070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.454{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007551069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.453{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007551068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.453{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000007551067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.452{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.414{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136trueMicrosoft WindowsValid 12241200x80000000000000007551065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.450{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.450{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.447{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007551041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.444{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.443{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.442{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.414{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=384379949D62C818AF52A5DE919A62FD,SHA256=21F85FFD4DD9A61088194F9A416ED1496EE781033D1A23E69893EAC583C72B68trueMicrosoft WindowsValid 12241200x80000000000000007551037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.438{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.434{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007551013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007551012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007551011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007551010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007551009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 12241200x80000000000000007551008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007551007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007551006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.434{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 11241100x80000000000000007551005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012021091020210911\container.dat2021-09-10 17:09:50.430 13241300x80000000000000007551004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CacheLimitDWORD (0x00000001) 13241300x80000000000000007551003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CacheRepairDWORD (0x00000000) 13241300x80000000000000007551002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CacheOptionsDWORD (0x0000000b) 13241300x80000000000000007551001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CacheRelativePathMicrosoft\Windows\History\History.IE5\MSHist012021091020210911 13241300x80000000000000007551000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CachePathC:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012021091020210911 13241300x80000000000000007550999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911\CachePrefix:2021091020210911: 12241200x80000000000000007550998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012021091020210911 734700x80000000000000007550997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.430{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007550996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.430{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 11241100x80000000000000007550995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.430{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist0120210910202109112021-09-10 17:09:50.426 734700x80000000000000007550994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.426{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13801.20634Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=89F83DB0358154696068C1A1A2C48B76,SHA256=97A0AC1E7CF73E000BC13BF560BA088C79797604E5E64F21B6DB843CD16742FFtrueMicrosoft CorporationValid 12241200x80000000000000007550993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.426{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007550992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.426{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007550991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.426{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\1Binary Data 13241300x80000000000000007550990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.426{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\13Binary Data 11241100x80000000000000007550989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Project details (1).docx.lnk2021-09-10 17:09:50.422 12241200x80000000000000007550988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007550987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007550986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007550985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007550984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007550982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007550981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007550980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007550979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007550977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.398{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 12241200x80000000000000007550976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007550975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007550973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.402{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 12241200x80000000000000007550972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.422{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 12241200x80000000000000007550951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007550949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007550948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.402{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 12241200x80000000000000007550947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007550945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.418{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.414{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.414{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007550925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.414{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007550924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.414{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007550923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.410{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007550922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.410{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007550921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.410{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll10.0.19041.1074 (WinBuild.160101.0800)Client Virtualization SubsystemsMicrosoft® Windows® Operating SystemMicrosoft CorporationAppVISVSubsystems64.dllMD5=90B77DF9501D41C1FC3B9B08BF739CBD,SHA256=B767361DEEBE62459AD8D6124C9E94B0A20F09EA1C53F6111B7B71252B703A04trueMicrosoft CorporationValid 12241200x80000000000000007550920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007550919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499trueMicrosoft CorporationValid 12241200x80000000000000007550916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007550915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007550914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007550912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 13241300x80000000000000007550911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.410{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PointsBinary Data 13241300x80000000000000007550910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.410{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\LastAccessedTimeQWORD (0x00000000-0x00000000) 12241200x80000000000000007550909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007550908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.410{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 13241300x80000000000000007550907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\DisplayNameProject details (1).docx 12241200x80000000000000007550906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 13241300x80000000000000007550905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 12241200x80000000000000007550904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 13241300x80000000000000007550902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\TypeDWORD (0x00000000) 12241200x80000000000000007550901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D} 12241200x80000000000000007550899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007550895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007550887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007550886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007550885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007550884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007550883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xaa423cd5) 12241200x80000000000000007550882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007550881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.406{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007550880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.402{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000007550879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.398{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 734700x80000000000000007550878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.398{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 12241200x80000000000000007550877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.398{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.398{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007550875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.398{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007550874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.398{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007550873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.398{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007550872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007550871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 734700x80000000000000007550870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007550869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007550868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 734700x80000000000000007550867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007550866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 13241300x80000000000000007550865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007550864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007550863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.394{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 13241300x80000000000000007550862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.394{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007550861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 13241300x80000000000000007550860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LaunchCountDWORD (0x00000006) 13241300x80000000000000007550859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LastAccessedTimeQWORD (0x01d7a666-0xaa3fc560) 12241200x80000000000000007550858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000007550857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000007550856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007550855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\JVAJBEQ.RKRBinary Data 12241200x80000000000000007550854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.390{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007550853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007550852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.390{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000007550851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007550848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.390{4DF467A6-3EE5-613A-21FA-00000000F001}24283720C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007550847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.375{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx" /o ""C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 12241200x80000000000000007550846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.370{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007550843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007550842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007550841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007550840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007550839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.362{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.358{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007550837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007550836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA051192F754F9C2348FF314C5B79B1,SHA256=E05A5FB0E2B07BE541DA04CC6A02703DA9C22324AA1D1E0B632A9241E569246Ffalsetrue 12241200x80000000000000007550835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007550833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:50.133{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 23542300x80000000000000002131734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:50.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8034D169FD2EB2BE781A86ECBD9DBD91,SHA256=A5E7B8F4C2AD8C0D77E44126EF459FE05E0BD1674C427BC7FC6E9675BF9B26C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:50.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25232A5B8BC7FFD0B7C21B046BC2523,SHA256=3E6E28EDD599902743556781D3AC192BD5993D07CAD302B305265DD3CA385342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:50.095{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=007F6133E36F97AB3D5CCADC2E1604E2,SHA256=0903DD0C7F56328FAFD28903C94877349C344E9057E624608C8BAE535D5FE423,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007551790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.999{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 13241300x80000000000000007551789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.991{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\:0 Binary Data 12241200x80000000000000007551788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.991{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007551782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000007551781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.983{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007551762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.983{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 734700x80000000000000007551761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.979{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid 734700x80000000000000007551760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.979{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid 12241200x80000000000000007551759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007551758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.979{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.979{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007551756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007551753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007551752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.979{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.975{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.975{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 10341000x80000000000000007551731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.975{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.975{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 10341000x80000000000000007551729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.975{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.971{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.971{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x80000000000000007551726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.971{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x80000000000000007551724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007551719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007551718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.971{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.959{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007551699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.959{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.959{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007551697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.959{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.959{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.959{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007551694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.839{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13801.20442RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=4AADCAFE0937BFDD2C0E089B37549CD7,SHA256=8D12811470721C2A4775AE2CF2B236C5E16FD4215D70E63C768BD9F4ADBC364AtrueMicrosoft CorporationValid 12241200x80000000000000007551693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.958{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.957{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKCR 734700x80000000000000007551672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.956{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x80000000000000007551671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.955{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000007551670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:51.954{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\PotentialDataLossInfo2 10341000x80000000000000007551669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.954{4DF467A6-3F48-6132-1600-00000000F001}12487100C:\Windows\system32\svchost.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.950{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 734700x80000000000000007551667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.949{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000007551666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.946{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007551665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.946{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007551664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.946{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x80000000000000007551663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.945{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007551662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.943{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007551660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007551659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007551658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007551657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007551656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000007551655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000007551654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007551653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000007551652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000007551651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007551650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 734700x80000000000000007551649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 12241200x80000000000000007551648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007551646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007551645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007551644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007551641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 12241200x80000000000000007551640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007551635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 12241200x80000000000000007551634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.935{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 12241200x80000000000000007551631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.935{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007551629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.807{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.55555.10000Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=2357126682CE4CAB2E5963883400D41D,SHA256=878BF317D30612C970E2EFDF93C3F22BF360D0304CFB54E96D638E8A5DE24E51trueMicrosoft CorporationValid 12241200x80000000000000007551628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007551624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x80000000000000007551619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 12241200x80000000000000007551615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007551613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 11241100x80000000000000007551612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC62021-09-09 17:20:38.591 734700x80000000000000007551611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 10341000x80000000000000007551610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.931{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007551609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.931{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x80000000000000007551608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.927{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 10341000x80000000000000007551607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.927{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007551606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.927{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007551605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.892{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x80000000000000007551604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.923{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 12241200x80000000000000007551603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007551600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.791{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 12241200x80000000000000007551599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.923{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007551578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.923{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 12241200x80000000000000007551577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.783{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 12241200x80000000000000007551575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.919{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007551552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.915{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 12241200x80000000000000007551551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.915{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.911{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.911{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.759{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid 11241100x80000000000000007551547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.911{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 12241200x80000000000000007551546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.907{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007551522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.903{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007551521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.899{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007551520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.895{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007551519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.891{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 10341000x80000000000000007551518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.887{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.887{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.887{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007551515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 734700x80000000000000007551511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.735{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid 12241200x80000000000000007551510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.887{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007551480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.883{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 11241100x80000000000000007551479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.883{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 12241200x80000000000000007551478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.883{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.883{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000007551476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.883{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 11241100x80000000000000007551475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.879{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 12241200x80000000000000007551474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007551472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.879{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 734700x80000000000000007551471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.731{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid 12241200x80000000000000007551470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.875{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007551446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000007551445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007551444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007551443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 11241100x80000000000000007551442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.875{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 13241300x80000000000000007551441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000007551440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007551439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007551438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000007551437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000007551436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007551435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007551434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.875{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 12241200x80000000000000007551433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.871{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.871{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007551431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.871{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 734700x80000000000000007551430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.871{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007551429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.679{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13801.20796Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=DEAB06C2DDF8959448455176D2A1754E,SHA256=49708B1D39D76B2E9F096B95BCB30B6601D3B5C8E1D84830740EC25FE8F38F39trueMicrosoft CorporationValid 734700x80000000000000007551428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.871{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000007551427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.867{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 12241200x80000000000000007551426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.867{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x80000000000000007551410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.867{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007551402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.867{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007551401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.863{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.863{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC6MD5=F21262515D28D3B3ED098AC29FD8C692,SHA256=C8258B8E383F27BFCC727E6F8B2917DFEDD7B9B37B30D10AFBDD66718061DD29falsetrue 10341000x80000000000000007551399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.863{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.863{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=598D75DEF85DAB8D9EEF87077CCFA975,SHA256=5BEF2FF02F6455D276D9380F895A155BCF8B56696D897236BDA0EDF5C2296DCFfalsetrue 10341000x80000000000000007551397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.859{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.859{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=5C6EB6DDA21CE385CA47B4C21152ED8D,SHA256=986D4F6B812B1C9EF71861AE1C722CB751AD4E83D8B02BECDCEB1689EB9B9827falsetrue 10341000x80000000000000007551395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.859{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.859{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=C2055DA88A2F2E723D96A94C3073F6C5,SHA256=1C8F0FB8A86BA26581578DB82C9C43BC9785B846C087F76EF29491920F8B63DCfalsetrue 10341000x80000000000000007551393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.857{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.857{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=C5DA7C8EFA1866B99CAA6D30D866D31A,SHA256=281988A7AE6D65640A52FB6D14F004042342676EC520EFBF3E61E7509D69E310falsetrue 734700x80000000000000007551391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.854{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007551390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.854{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 10341000x80000000000000007551389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.853{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.853{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 23542300x80000000000000007551387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.853{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=42E077AEFF43FCF03D705D85DD4EFDB0,SHA256=00B7AD19E612486A28667B8A922757B88319A7AF750D6CA13DE357EB14E342BFfalsetrue 734700x80000000000000007551386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.852{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 734700x80000000000000007551385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.849{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007551384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.849{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 10341000x80000000000000007551383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.848{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.848{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=A574F1CD8B903900C3AF8E26F78B0573,SHA256=47E44D79441171DB486190F5B16283EEF1EA1B441D435ED9849B47EB543F6086falsetrue 11241100x80000000000000007551381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.848{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{62ED62F1-87A2-4D70-8EE6-461B9899909A}2021-09-10 17:09:51.847 734700x80000000000000007551380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.847{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 13241300x80000000000000007551379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.847{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 12241200x80000000000000007551378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:51.847{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\500 12241200x80000000000000007551377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:51.847{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\500\0 13241300x80000000000000007551376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateConsentTime(Empty) 13241300x80000000000000007551375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007551374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateDWORD (0x00000000) 13241300x80000000000000007551373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateConsentTime(Empty) 13241300x80000000000000007551372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007551371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateDWORD (0x00000000) 13241300x80000000000000007551370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateConsentTime(Empty) 13241300x80000000000000007551369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007551368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateDWORD (0x00000000) 13241300x80000000000000007551367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateConsentTime(Empty) 13241300x80000000000000007551366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007551365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.844{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateDWORD (0x00000001) 13241300x80000000000000007551364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentConsentTime(Empty) 13241300x80000000000000007551363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007) 13241300x80000000000000007551362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelDWORD (0x00000002) 13241300x80000000000000007551361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserCategoryDWORD (0x00000002) 12241200x80000000000000007551360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 12241200x80000000000000007551359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.843{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache 734700x80000000000000007551358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.843{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 10341000x80000000000000007551357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.843{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.843{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=1AF8278C79797EE87786D8BB9C56183A,SHA256=EC3AA46ED3F530594D2B7B7C432CF1286DBFC82D5798D2E1FABDD102E8E46024falsetrue 10341000x80000000000000007551355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.839{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.835{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=D6FB8AC7199C7D54CB2CF8218D927665,SHA256=48A51D466A273813850270015101D947F9EC6067E513FBD38905CABECBD5F72Cfalsetrue 10341000x80000000000000007551353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.831{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.831{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=A279A8DB13067CC3D811F121F3A2CBE6,SHA256=DBFAD65616C2095B386F214E095A0BC966C60F3B2F7EA3E1AE9DF85CF94FA31Dfalsetrue 10341000x80000000000000007551351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.827{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.827{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=E20B8202D672B484EA22D806085D36D7,SHA256=E3DD614D44E2B9BCF918499016EBF44FCE9613C8590D428A8E8BC2B6B4157032falsetrue 10341000x80000000000000007551349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.823{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.823{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=D0C73FFEC9D844EA3C2F9BE269227502,SHA256=443FC62888E3329DC560C6704343D094EAD445640497469E4903D52043CC74F7falsetrue 10341000x80000000000000007551347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.819{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.819{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=DBC56158690A33056C4A73D856515FE9,SHA256=0DA3921D7B57CCA5383F4A9EB5823966B94E63E9ED752C11ED2A34A1AF69EB80falsetrue 734700x80000000000000007551345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.815{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 10341000x80000000000000007551344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.811{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007551343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.811{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=0A8EC84EF090C9CBB10A824EE01E7052,SHA256=428E785751783C491FE6B363DBC0383EDB1AC678E5E3CCBF32D465C7A2CAC3AFfalsetrue 734700x80000000000000007551342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.811{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 10341000x80000000000000007551341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.811{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.807{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 11241100x80000000000000007551339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.799{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631293791801841300_B9769A37-601C-44A5-9770-4AEB59C047C9.log2021-09-10 17:09:51.799 11241100x80000000000000007551338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.799{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631293791801278500_B9769A37-601C-44A5-9770-4AEB59C047C9.log2021-09-10 17:09:51.799 734700x80000000000000007551337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.799{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x80000000000000007551336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.791{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 13241300x80000000000000007551335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.787{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data 734700x80000000000000007551334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.783{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007551333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.783{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid 734700x80000000000000007551332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.779{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000007551331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.771{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 10341000x80000000000000007551330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.756{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.755{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid 734700x80000000000000007551328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.754{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid 12241200x80000000000000007551327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.751{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000007551326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.750{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007551325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.749{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.748{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.748{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007551322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.748{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007551321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.745{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DWrite.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=1875083243EE498D0B2BB6B025AD7520,SHA256=A3FA592126642537BF6F0E4E9750A43A899525FE616DE899ABD7F26A9E7620C4trueMicrosoft WindowsValid 734700x80000000000000007551320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.739{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 734700x80000000000000007551319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.739{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 734700x80000000000000007551318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.735{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d11.dll10.0.14393.4467 (rs1_release.210604-1844)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=F940A91B13592184F228ECC14D8D9358,SHA256=2BC05A4D09CDBAB8DB5F767DC95F31B2CA324928A94F004C7C2968E3E9E635E2trueMicrosoft WindowsValid 13241300x80000000000000007551317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.727{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007551315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007551314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007551313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x80000000000000007551312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.723{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.719{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000007551307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.719{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000007551306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.715{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 13241300x80000000000000007551305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.707{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\!/ Binary Data 12241200x80000000000000007551304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.707{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 734700x80000000000000007551303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.703{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 734700x80000000000000007551302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000007551301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 10341000x80000000000000007551298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000007551296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007551295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.699{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007551294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.695{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000007551293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.695{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{B9769A37-601C-44A5-9770-4AEB59C047C9} - OProcSessId.dat2021-09-10 17:09:51.695 13241300x80000000000000007551292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.695{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000007551291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.695{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000007551290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.691{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 13241300x80000000000000007551289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.691{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 12241200x80000000000000007551288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.691{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676 734700x80000000000000007551287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.691{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000007551286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:51.683{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 12241200x80000000000000007551285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.679{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007551284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007551283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD00F8F7BA62D9F305D7BD401845EF17,SHA256=A3673293AC526F83E3C4E4B57105109B2DBABF7BB38DC56C9C81BD804061F30Efalsetrue 11241100x80000000000000007551282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007551281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.599{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0F55D68B0B5F879BC3B3F9E932D559,SHA256=F6FAF1AF9086D074FF2090ACEEC45A8252DF46B44D4A83F4EC06EF8CFE62B0E9falsetrue 734700x80000000000000007551280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.435{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13801.20808Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=58F3352E3A0867817F759EA7940F2E10,SHA256=86AFDD63CFCA5B03D5265A2828F073CA401FE00B555B40AD9A0F7A193E200315trueMicrosoft CorporationValid 12241200x80000000000000007551279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.567{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.439{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007551255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.439{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000007551254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.435{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007551247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.258{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13801.20442Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=AF5E26C38079AF31CCAA732B6A351A0D,SHA256=C0BBDC787DCD21EF78B89B6C18C81A1ECC8F5B4D3C4E2F412525FD70039E667DtrueMicrosoft CorporationValid 12241200x80000000000000007551246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.338{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.330{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.247{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=42CCB21CAB1B66AA9C7FF859A4BED97B,SHA256=76EFA67F0B7EA66DEAB42DB051DBCBA4B05EC04032B1D8AAE5E7761D7C6CA24FtrueMicrosoft CorporationValid 12241200x80000000000000007551227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.326{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x80000000000000007551204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.322{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exe 734700x80000000000000007551203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.322{4DF467A6-913C-613B-7822-01000000F001}6328C:\Windows\System32\dllhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 12241200x80000000000000007551202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.247{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 12241200x80000000000000007551200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.174{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.170{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.157{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.157{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.938{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13801.20688Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=A4816E74F5F4F3A1D9B6637EB47C8B23,SHA256=9447582F286D97A4707BB8A6847398637D742E5ED653804EE94E495E3E3BF339trueMicrosoft CorporationValid 12241200x80000000000000007551173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.155{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.130{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000007551149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.122{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=F4FDCEA65C429F01EEC45163F005B5E3,SHA256=F3FF96E7EBF9E4BB43170456395F09C1DAB832B1F66EBFAFF5EF54344DB929D5trueMicrosoft CorporationValid 12241200x80000000000000007551148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.066{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:50.818{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13801.20854Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=88AD4C5ED7EE51A82DDB8DF471E749B6,SHA256=E21BE93D40924965E74C6D1619F3C9AEE1FE09F535C8260B61387984DF55BC2DtrueMicrosoft CorporationValid 12241200x80000000000000007551146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.062{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.030{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000007551122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.026{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000007551121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.026{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007551120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.026{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000007551119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.022{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007551118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.022{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007551117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.022{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007551116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.018{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8trueMicrosoft WindowsValid 734700x80000000000000007551115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.014{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=33E67D19ED73BD77FAB770F3677363E0,SHA256=3A7198AC7F995AE9FCA91372AFC3719C04417D638EE37EAA3162DE0A99F0F6B9trueMicrosoft CorporationValid 23542300x80000000000000002131736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:51.466{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B7FE5E918F968DE63E225918C37836,SHA256=30C6E7438995B87F4216CEF2A1838F57A5083FC34403FCF8C54E496FD93427FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:41.851{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62374-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007552263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.621{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56785-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007552262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.621{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56785-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007552261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.621{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56784-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007552260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.621{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56784-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007552259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.031{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56783-false10.0.1.12-8000- 11241100x80000000000000007552258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007552257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAF727F3914DA666C93529582D89B4DC,SHA256=61B119FCDD021D0C1414CD59049139657E8FAEF9079C1FAD131787D9B02675C5falsetrue 23542300x80000000000000007552256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.816{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\61GRXA2F.cookieMD5=DDDA9176621A5C1E8DF41AC3A07ADB5A,SHA256=283E0C79915A3BDDA7E73BDD453382FD3B1B4E0E40A6778AE4B3556879D1D0E1falsetrue 11241100x80000000000000007552255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.816{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\GJTKBXK7.cookie2021-09-10 17:09:52.816 13241300x80000000000000007552254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.460{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 13241300x80000000000000007552253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.460{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ETagstd::wstring|"9LPZ0BsLX7VBmE3vlyeIf+8SOI+iV6w9KyqJOlMc4Ik=" 13241300x80000000000000007552252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.460{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\Expiresint64_t|1631308192 734700x80000000000000007552251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.454{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x80000000000000007552250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.335{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL7.1.1108Visual Basic for Applications Runtime - Expression ServiceMicrosoft Visual Basic for ApplicationsMicrosoft CorporationEXPSRV.DLLMD5=3FF977F13147CF29DDB70AA247BD3690,SHA256=3FE5A0245668D229732B49763CB17E3BD466204440DBBC4D27F5E3095CED6C45trueMicrosoft CorporationValid 12241200x80000000000000007552247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.372{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007552224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.331{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\System\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 12241200x80000000000000007552223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.364{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007552197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.323{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL7.1.1104Visual Basic for Applications Development Environment - Expression Service LoaderMicrosoft Visual Basic for ApplicationsMicrosoft CorporationVBAJET32.DLLMD5=A302D22CC544B6BFB4E1BB522B036CB1,SHA256=76823CF79F5C76C96E2FCA31D06796D62727ABE559FFBA78E5F21DC324E55188trueMicrosoft CorporationValid 12241200x80000000000000007552196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.359{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.358{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007552174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.319{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL16.0.13801.20688Microsoft Access database engine Expression ServiceMicrosoft OfficeMicrosoft Corporationacees.dllMD5=01B32DC29CEB905A6D0FC5C1C703B0CA,SHA256=70106489670931C7491BA1F8AF1DE0503E53844B2AA52F82C3143A8B6E83151DtrueMicrosoft CorporationValid 12241200x80000000000000007552173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.357{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.350{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.311{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL16.0.13801.20008Microsoft Access database engine Sort DLLMicrosoft OfficeMicrosoft Corporationacewstr.dllMD5=D26F3BC200CD057CB9939073143F652E,SHA256=F2985BACE4D0E5A2E82A9FE8CA935BCD19D184BA72F81F4CDC5D3627ECC0B937trueMicrosoft CorporationValid 12241200x80000000000000007552147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007552124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.299{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL16.0.13801.20634Microsoft Access database engine DLLMicrosoft OfficeMicrosoft Corporationacecore.dllMD5=052CFD327BA966E1D3EA5FAFB290672B,SHA256=8DD3054536AD700CD3C7BD59E95456B83E7D177AE1A7C6AAB21C97C49027E655trueMicrosoft CorporationValid 12241200x80000000000000007552123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.339{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007552101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.331{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Tap\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\QFWarmUpLastUpdate2021-09-10T17:09:52Z 12241200x80000000000000007552100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.323{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.267{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=2D8AE33BC433EFE81FB9F5B126B4A0A9,SHA256=5BC4D64A18925CFB39C898E954BC24473BCCFDA11E31A8FD7E01F8F888BD6B76trueMicrosoft WindowsValid 12241200x80000000000000007552098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.319{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.315{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007552068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.267{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\System\Ole DB\oledb32.dll10.0.14393.4169 (rs1_release.210107-1130)OLE DB Core ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationoledb32.dllMD5=1C9084B11668B0E8E83D7887BC2BDA33,SHA256=A2FF5347549ECCC9804F180C34D465AFA55027B3B0F614A2666934FA2963F436trueMicrosoft WindowsValid 12241200x80000000000000007552067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007552059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.311{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 12241200x80000000000000007552058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007552047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.311{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 11241100x80000000000000007552046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.311{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb2021-09-10 17:09:52.311 12241200x80000000000000007552045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.311{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007552044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.303{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\JET95D3.tmp2021-09-10 17:09:52.303 18141800x80000000000000007552043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:09:52.303{4DF467A6-915E-613B-8222-01000000F001}5676\wkssvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 734700x80000000000000007552042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.303{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 12241200x80000000000000007552041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.255{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL16.0.13801.20490Microsoft Access database engine OLE DB ProviderMicrosoft OfficeMicrosoft Corporationaceoledb.dllMD5=E8DCF5077604E501B55ABD40BFB32ACB,SHA256=CFA364D0ACFC660080B2F3C6D06E89B6CBBA031F3673E7C56843825991D9EA6AtrueMicrosoft CorporationValid 12241200x80000000000000007552036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.299{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.295{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.249{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL3.4.1.35249ADAL.NativeMicrosoft© ADALMicrosoftadal.dllMD5=83940B529D140372B1FF153CF83E478D,SHA256=1D246C806D9F170AAC09E8AA3507553B7833BA2067B81150588444B3C93BAADBtrueMicrosoft CorporationValid 12241200x80000000000000007552013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.291{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.279{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000007551989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.279{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid 12241200x80000000000000007551988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007551984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.275{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsreg.dll10.0.14393.4467 (rs1_release.210604-1844)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=79A9D7EA2FEAEF86876FFD1B6D1CB6C1,SHA256=A1BA47F25235AA03E37B420DA61B68E1F3165A590B15AAC43894613A88250018trueMicrosoft WindowsValid 734700x80000000000000007551983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.215{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll16.0.13801.20842Microsoft Office Document CacheMicrosoft OfficeMicrosoft CorporationCsi.dllMD5=79BAD2A42BC1DDCF7747154DB5CDA177,SHA256=B943A38387BD920D64860A27F667FF8C23529614A5812412A672E18052A2CFA5trueMicrosoft CorporationValid 12241200x80000000000000007551982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.275{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.271{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.271{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.271{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007551962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.256{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 13241300x80000000000000007551961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.239{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000007551960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.239{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities827 15,134 15,2086 15,1074 15,2413 15,2402 15,129 15,2159 10,1001 15,103 15,2324 15,121 15,1000 15,185 15,1445 15,2401 15,1338 50,1338 10,951 15,1282 50,226 15,999 15,1282 10,831 15,2430 15,1338 15,1282 15,1128 15,132 15,2087 15,2328 15,850 15,1039 15,998 15,828 15,829 15,108 15,2323 15,335 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,671 15,111 15,1002 15,669 15,332 15,291 15,1249 10,70 50,2327 15,184 15,120 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000007551959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.239{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000007551958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.239{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019972417,21378256,18409363,20039442,40920709,19200086,19677900,24131419,17134338,34968335,8758344,23979203,18375312,18658649,17634580,51655840,18658648,19677907,17183040,17698823,21378211,17650967,18658650,18948503,34968340,18674530,18637650,21313610,18948102,17126295,9319450,18409416,36517339,18948101,18400089,17634578,36761792,34968342,20979747,21378249,21030802,50890251,34968338,34968337,24470607,34968339,7690258,34968341,38013077,6366290,8448079,36274763,34968589,24406167,17182941,20027008,20027009,17182979,7690254,23205313,9176926,17622912,8263521,5850584,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000007551957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.239{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000007551956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000007551955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000007551954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000007551953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007551952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000007551951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000007551950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000007551949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000007551948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000007551947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000007551946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000007551945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000007551944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000007551943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000007551942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000007551941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000007551940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000007551939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007551938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007551937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007551936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007551935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000007551934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007551933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000007551932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007551931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000007551930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000007551929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:52.235{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 734700x80000000000000007551928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.231{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13801.20442RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=4AADCAFE0937BFDD2C0E089B37549CD7,SHA256=8D12811470721C2A4775AE2CF2B236C5E16FD4215D70E63C768BD9F4ADBC364AtrueMicrosoft CorporationValid 734700x80000000000000007551927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.227{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000007551926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.215{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 12241200x80000000000000007551925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.215{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.135{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13801.20442Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=67A8185AAF7674010FB3D3F4BF71B3A7,SHA256=3017C9E5F1B0107444C560FF931BEB019E96AFC49D33F131B1BD0D3AF5B53614trueMicrosoft CorporationValid 12241200x80000000000000007551923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.167{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.163{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007551900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.156{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.13801&crev=3\0\EndDateBinary Data 13241300x80000000000000007551899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.156{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.13801&crev=3\0\StartDateBinary Data 13241300x80000000000000007551898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.156{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.13801&crev=3\0\FilePathofficeclient.microsoft.com\7A2C17BB-4D62-406B-BAA4-87E3B611BAD5 11241100x80000000000000007551897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.155{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7A2C17BB-4D62-406B-BAA4-87E3B611BAD52021-09-10 17:09:52.155 734700x80000000000000007551896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.148{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x80000000000000007551895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.139{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 11241100x80000000000000007551894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.139{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BCBC4627-8062-4BA3-AE5F-5DBB2900BB85}.tmp2021-09-10 17:09:52.135 734700x80000000000000007551893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.135{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid 12241200x80000000000000007551892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.135{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000007551891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.095{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9E5447A4.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7falsetrue 11241100x80000000000000007551890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.095{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9DD6FB55.dat2021-09-10 17:09:52.095 11241100x80000000000000007551889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.095{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9E5447A4.wmf2021-09-10 17:09:52.095 13241300x80000000000000007551888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007551883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.091{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007551882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.087{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 11241100x80000000000000007551881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.087{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$oject details (1).docx2021-09-10 17:09:52.087 13241300x80000000000000007551880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.087{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x0 Binary Data 734700x80000000000000007551879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.087{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 13241300x80000000000000007551878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.079{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 734700x80000000000000007551877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.075{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 12241200x80000000000000007551876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007551873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.052{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid 12241200x80000000000000007551872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.059{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.053{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.053{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007551849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:52.047{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007551848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.047{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000007551847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.039{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x80000000000000007551846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:09:52.035{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\:0 11241100x80000000000000007551845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.031{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{02C1ECA5-4488-4835-BC08-08AC1A3D2A52}.tmp2021-09-10 17:09:52.031 734700x80000000000000007551844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.031{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msxml6.dll6.30.14393.4530MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=10A0259030F41545ECAFB6A595F7C457,SHA256=CF160C3ADCE5AA2357697A02C6FC38071CBE1818B036F1C67F746868EB7F814DtrueMicrosoft WindowsValid 734700x80000000000000007551843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.007{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x80000000000000007551842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:52.003{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 12241200x80000000000000007551841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.007{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007551816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007551815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.939{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13801.20178Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=53C631125C4AB3BFA9F7DB70B4B02EFA,SHA256=4F0593A374FE614EBBFAB37A9C39515D695ABA2EF3ADDD72BD912A83426789FEtrueMicrosoft CorporationValid 12241200x80000000000000007551814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007551813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007551812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007551811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007551809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:52.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007551795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007551794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007551793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007551792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:51.999{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007551791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.999{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm2021-09-10 17:09:51.999 23542300x80000000000000002131737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:52.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B6AC0BA413358FB2C16DFFABAD6336,SHA256=C243D4097E40EA2C5481498617E100768EE8771075331ECE363ABB2BC38A1DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007552427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.355{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56793-false72.21.91.29-80http 10341000x80000000000000007552426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.985{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.985{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.329{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49786- 354300x80000000000000007552423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.265{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56792-false40.126.29.15-443https 10341000x80000000000000007552422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.981{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.981{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61773- 354300x80000000000000007552419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56790-false23.192.208.23a23-192-208-23.deploy.static.akamaitechnologies.com443https 10341000x80000000000000007552418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.981{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.981{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.152{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63453- 354300x80000000000000007552415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.128{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56787-false52.96.164.66-443https 10341000x80000000000000007552414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.126{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56788-false52.96.164.66-443https 10341000x80000000000000007552411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.115{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51433- 354300x80000000000000007552408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.110{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50459- 354300x80000000000000007552407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.904{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56786-false52.109.2.0-443https 10341000x80000000000000007552406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.977{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.852{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49508- 354300x80000000000000007552403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.823{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49508- 10341000x80000000000000007552402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.873{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007552401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:53.801{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\Federation(Empty) 13241300x80000000000000007552400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:53.801{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\UserId877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 13241300x80000000000000007552399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:53.801{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\IdentityTypeDWORD (0x00000004) 13241300x80000000000000007552398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:53.801{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\StartTime13275767393801 11241100x80000000000000007552397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.801{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.793{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.789{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.785{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.781{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.777{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.777{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.773{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.769{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 22542200x80000000000000007552388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.190{4DF467A6-915E-613B-8222-01000000F001}5676login.windows.net0type: 5 a.privatelink.msidentity.com;type: 5 prda.aadg.msidentity.com;type: 5 www.tm.a.prd.aadg.trafficmanager.net;::ffff:40.126.29.15;::ffff:40.126.29.6;::ffff:40.126.29.5;::ffff:40.126.29.8;::ffff:40.126.29.11;::ffff:20.190.157.11;::ffff:40.126.29.7;::ffff:40.126.29.13;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.769{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.188{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.769{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.769{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=5A697FF7C5A6D790763E2685FA36C368,SHA256=77129E14C0866B235EE8C7E3A26FACAB40497BC840ECE5073FE16C300601CBA5falsetrue 10341000x80000000000000007552383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.130{4DF467A6-915E-613B-8222-01000000F001}5676support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:23.192.208.23;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=61419A57B07600D8328862B0A03B11B6,SHA256=D26FB8786EA204ACAFD6677CDBD5B087F7E9D1464F82FA6EA8BDB431DF66CFB4falsetrue 10341000x80000000000000007552379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.094{4DF467A6-915E-613B-8222-01000000F001}5676ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=774CCEF5FA89CCDDFBC12013EEA2563B,SHA256=3C86B20615BC7F0A0A88CDFCA16F6424728596D0047BE000ED05854FF63AA0FCfalsetrue 10341000x80000000000000007552375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.765{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.091{4DF467A6-915E-613B-8222-01000000F001}5676outlook.office.com0type: 5 substrate.office.com;type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:52.96.164.66;::ffff:40.97.119.194;::ffff:40.97.84.34;::ffff:52.96.119.114;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.761{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.091{4DF467A6-915E-613B-8222-01000000F001}5676outlook.office.com0type: 5 substrate.office.com;type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:52.96.164.66;::ffff:40.97.119.194;::ffff:40.97.84.34;::ffff:52.96.119.114;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.761{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.761{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=99E1E27C4DD1456D3EC36D54ACDF80F0,SHA256=F38AA98014EB44B64630401C4C9D5DD3C5809F1B37A04360236FE6372463F8B7falsetrue 10341000x80000000000000007552369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.761{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:34.852{4DF467A6-915E-613B-8222-01000000F001}5676officeclient.microsoft.com0type: 5 config.officeapps.live.com;type: 5 prod.configsvc1.live.com.akadns.net;type: 5 us.configsvc1.live.com.akadns.net;::ffff:52.109.2.0;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.760{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.760{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.760{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=AB2B1A80180696F65FB9DDE058135CB0,SHA256=9F13BCA50D8065D074C8CD4FF0DEACC55701A8E92682A2B4CA06804E69DBA4E3falsetrue 10341000x80000000000000007552364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.757{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.756{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=D9EA6C89F7ADE8AEA4F737834D0E43F5,SHA256=8725FCF883586F1EB140C2D6ED7ED4CB913D04980141E96DB9419F77A50EF83Bfalsetrue 10341000x80000000000000007552362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.753{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=9785F5EF8E671597208D0AA0A43F54F9,SHA256=18C444A05D95FE9F2A30CBE994AA343205525DB664F668211508A203C664F434falsetrue 10341000x80000000000000007552360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.749{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.748{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=DC738679F443D1327366AB6D2516E90D,SHA256=E0E434EB451A7186548D25A9ED412FA55FD12634E4C8C5390BAA99C3633FF98Efalsetrue 10341000x80000000000000007552358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.748{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.741{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\LVP42U2N.cookieMD5=974571A77D11126C9096596E39E9839F,SHA256=073BF18094D419D09471E75105C8034B45EE6A8B0D40AB50930013040CF9A9D1falsetrue 11241100x80000000000000007552356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.741{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\SR6I7HMJ.cookie2021-09-10 17:09:53.741 12241200x80000000000000007552355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:53.605{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007552354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:53.605{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007552353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:53.601{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007552352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:53.601{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007552351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:53.601{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007552350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.561{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.558{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.554{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.550{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.546{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.540{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.536{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.536{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.532{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.532{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=8651A0CF6EFAE768A315DA71033DD0CF,SHA256=4F60198AB840E5A9B4181DFB593B836FC24A99968953A4B4B6F8F7CEB70DB253falsetrue 10341000x80000000000000007552340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.532{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.532{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=A0BC8F4BF60D29BA6987C2AF2BD27819,SHA256=4476B947AF0F96B406537F0A683BCE91BE7B4DCFBDB99BD34112C70DC0D496C4falsetrue 10341000x80000000000000007552338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.528{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.528{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=3799DFA68A41F2D136CA207A7869D2C3,SHA256=A47238A4AE633FE84EF4D2F5E222050E74768FDE732D3874F9D6121B6A54001Dfalsetrue 10341000x80000000000000007552336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.528{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.528{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=D00EB40490518B787FAB12E14D86ED4C,SHA256=64547857E69778F602661C8A87F18C98819E573F3F6DCA59956FA7B58FC21A8Bfalsetrue 10341000x80000000000000007552334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.524{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.524{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=E3F523AACDDA95D1CDA5C9528AAB2500,SHA256=0D5EFAE4223235852C9F63ABC038EABD3A2A4F4DC12939D8639B4FA1B64F9549falsetrue 10341000x80000000000000007552332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.521{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.521{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=3C44EF1D655A031BB20B4010C433F9A8,SHA256=00964FA6DA941BA009ADB1ABE0DBA29E6FC4078524005F9220F7397760611190falsetrue 10341000x80000000000000007552330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.517{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.517{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=783F3893E0340B6615CA86FC6D8790FD,SHA256=EA259817C898A42896F2EC25FA6752C6D0991D114F3588F54089397E1765695Efalsetrue 10341000x80000000000000007552328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.517{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.512{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\LSPSIQNI.cookieMD5=74559B4A51D2FEEE882D613064DFB3E7,SHA256=3F5CC87F708100158E65DD992E0CD5061A45E58A9EA6722A190FB2E75F24A746falsetrue 11241100x80000000000000007552326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.512{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\LVP42U2N.cookie2021-09-10 17:09:53.512 11241100x80000000000000007552325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.320{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.316{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.312{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.308{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.304{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.304{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.300{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.296{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.296{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=652168E0B5D6D6B2D9CAC0E685997B0E,SHA256=C43393AB9B6AEF49EA5E6F26C413038ADCC87ADDD32CC360189ED34F07CDA5AEfalsetrue 10341000x80000000000000007552316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.296{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.296{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=79C1182613603AD6EBC336D7376FA1C7,SHA256=27292B6CF24D99A8A0336D6D010B448AABAAD660CFF8683131046C2FBED10630falsetrue 10341000x80000000000000007552314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.292{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.292{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=E780A17DFBFCD6B8677435B607687FC1,SHA256=4E1080266D82DDA1D54839334B2D480F1E8D4BB24CC306867C5064AD1070CCD2falsetrue 10341000x80000000000000007552312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.292{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.288{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=2382470F83D1771F8C55CB35621015DB,SHA256=810D230FDF5FD751A5D31A3B75688AF9DBF4F4BA699D46A7AC686B5452565537falsetrue 10341000x80000000000000007552310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.288{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.288{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=ED07ED77427701B489B6E49E7A3413D0,SHA256=1ED74F4AAF299B3BA8AFC261A1716368019F1F8C5C6417BF162B2BB2CB368D8Cfalsetrue 10341000x80000000000000007552308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.284{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.284{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=4CCBB9C07A3C643FD68B9EDA6FBAB203,SHA256=C483EC8522C3F3FE908B8CA65792BFD3681ACF622995957ED010A6A6AAB87826falsetrue 10341000x80000000000000007552306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.280{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.280{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=958E60C2F2AC2787E012A4F4CD4D5D0D,SHA256=E686CB5FFD4CC419D893E7A34DD114DD94A8BED0C0B2AC630F04005B8EB1D3B5falsetrue 10341000x80000000000000007552304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.280{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.276{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\871ISLY8.cookieMD5=ABFBE8F0A619F095C7CCB78479284A90,SHA256=306151371C2EA84F15334880972C8F1CFFF2B68433965741FAA5F88C6D642D33falsetrue 11241100x80000000000000007552302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.276{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\LSPSIQNI.cookie2021-09-10 17:09:53.276 11241100x80000000000000007552301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.084{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.084{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.080{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.076{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.072{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.068{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.068{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.064{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.064{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC6MD5=0548B9CBD507D4C33F6D77D40E4C3D3D,SHA256=4C81D93DF50E8FFF223EBFB86A30D8B554E36650C83D53FC31A172233444A790falsetrue 10341000x80000000000000007552292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.060{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.060{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=24B9120EFAA3AA257A8C047756C6EDBB,SHA256=A24433C17624C86F3202F62C6CF9327077B2C4F91E97E1118AF4ACF8F717DAE5falsetrue 10341000x80000000000000007552290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.060{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.060{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=1AA775B324106898F4B99BD763AEC706,SHA256=0342950DC42A91E7D9D0FC2A66299FE1D57A8C6C68514F4F29AD21F951C7A122falsetrue 10341000x80000000000000007552288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.059{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.059{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=E5C897D0407DC6F6F04DDDF3E16537A7,SHA256=826994D3A87FBE7010C3928FCF97CA714E2B72501217F47EE922C51E30A0D497falsetrue 10341000x80000000000000007552286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.056{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.056{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=4FB73694BF9F8B0049498A5AF89A4340,SHA256=8D2A5B976C549A61B5A7D960E4D353E35DE052BB7C686F67A5DDC240BF5CCE2Afalsetrue 10341000x80000000000000007552284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.053{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.053{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=1049ED9526C47DDFF311396E5FEB9479,SHA256=88672178F038DA088E0EDAEFDBCD79F91081FE911880D67BF45579980DD596DDfalsetrue 10341000x80000000000000007552282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.050{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.049{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=C72F5CF021D7BA89DA6327258BB88683,SHA256=FBFBBE9DFB3E72D4EAFF70CB2953DABA1A2836ACE48462053709C6D0E61CECE4falsetrue 10341000x80000000000000007552280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.046{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.046{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=E427A30A2602EE23BDD88F8EE15E525E,SHA256=2C399EED1D24C264BA9CF104227EB2018E6F03F4E36A1B774EF075E953EB5226falsetrue 10341000x80000000000000007552278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.040{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.040{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=D329905ADFD280BD09506711B871106C,SHA256=EDEE0F4F978402105FB08D6C2A962DB43DEBC38436DAD9707DA2DE2218166D78falsetrue 10341000x80000000000000007552276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.036{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.036{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=4D2415518FA862D1D3D87EC720948304,SHA256=329D3E66378A4095CF87A70B856E5DDC60ADE5810AEC5B8C6D97ABB19E447F25falsetrue 10341000x80000000000000007552274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.032{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.032{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=78444E0693D0FDC59078DEAD34BC0EF2,SHA256=29C414F47C2778C442112A83964F56D9814AB73BF6FB38A8EDEBC02223272670falsetrue 10341000x80000000000000007552272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.024{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.024{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=8386A978BC153AA7829DE80C0716B1DB,SHA256=1FD138C4F76D0FCC99CEACC05F5B6A32490B16135F84841105153069BBD5AC87falsetrue 10341000x80000000000000007552270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.020{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.020{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=5E0FB6FA39FE297E193953595EA546C3,SHA256=B2D989C446A93F33354B44B034C58407848F27D663ABAE96925B0B6E934121DEfalsetrue 10341000x80000000000000007552268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.016{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.016{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=A5C23D23EB6F17A820FC43278E6DD465,SHA256=BE22D9DD06EC44735B2B54CC720A444AFB3EDB120E677AF786403EC3F47B0120falsetrue 10341000x80000000000000007552266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.012{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.008{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\GJTKBXK7.cookieMD5=0631C793C2D5D5314ECB06A96D0CC647,SHA256=207765310C6EC96708877E028E9E46D3F4A8CB6B79830770741FD0627D04B0FFfalsetrue 11241100x80000000000000007552264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:53.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\871ISLY8.cookie2021-09-10 17:09:53.008 10341000x80000000000000002131767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.900{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:53.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993FAC1FC1C0B4E21BDF8889C2DA2365,SHA256=F288FBB7E941A4A3B0B6E1048F404BA5135C2BD97A5F8F5B30E6774A543C9D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007552812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.717{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57369- 354300x80000000000000007552811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.678{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56796-false104.47.43.26-443https 10341000x80000000000000007552810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.994{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.994{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007552808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.934{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000007552807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.934{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 12241200x80000000000000007552806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.830{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\httpapi.dll10.0.14393.1532 (rs1_release_d.170711-1840)HTTP Protocol Stack APIMicrosoft® Windows® Operating SystemMicrosoft Corporationhttpapi.dllMD5=03DBC6A3E615C17C08BF96C999A0C8EE,SHA256=E5D2CAB8D8F3EDDF0E7895E9D585FC89AF6A93954944071CA1B235FA8AF8DD4BtrueMicrosoft WindowsValid 12241200x80000000000000007552803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.855{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.854{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.853{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.851{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.851{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.830{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll2.8.0A Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API designC++ REST SDKMicrosoftTARGET_NAME.dllMD5=A916D562344A19E7FD0346390AC95A0C,SHA256=F226271CDC17F336239AB3903C09D4ADDCCD0421395EE9F51A79A4027BF6E345trueMicrosoft CorporationValid 12241200x80000000000000007552778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.850{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.849{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:09:54.838{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 13241300x80000000000000007552754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.838{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007552753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.838{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\KnowledgeQWORD (0x00000000-0x00000006) 13241300x80000000000000007552752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.838{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\LastWriteBinary Data 734700x80000000000000007552751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.834{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\concrt140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® Concurrency Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationconcrt140.dllMD5=C53C05B2B2A75D0FF56CB936DFD4E4A5,SHA256=C89C55575DEE5CDE8DC1FB67DF8EB293C4AE0BB0B7C0354D333807DE08D45D04trueMicrosoft CorporationValid 12241200x80000000000000007552750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.830{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007552749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.806{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007552748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.802{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007552747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.798{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.794{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.790{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.786{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.782{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.778{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.774{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.774{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.770{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 22542200x80000000000000007552738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.020{4DF467A6-D3A4-6138-36CD-00000000F001}6780ocps.manage.microsoft.com0type: 5 ocps-pe.trafficmanager.net;type: 5 ocps-pe-nam-westus-su02.cloudapp.net;::ffff:23.100.32.94;C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 22542200x80000000000000007552737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.783{4DF467A6-3F58-6132-2B00-00000000F001}29480.2.109.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007552736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.732{4DF467A6-3F58-6132-2B00-00000000F001}294866.164.96.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007552735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.702{4DF467A6-3F58-6132-2B00-00000000F001}294823.208.192.23.in-addr.arpa.0type: 12 a23-192-208-23.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 22542200x80000000000000007552734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.574{4DF467A6-915E-613B-8222-01000000F001}5676dataservice.protection.outlook.com0::ffff:104.47.43.26;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=F470265AFC078D0AFB064565ED1AB22D,SHA256=D49732E6941A38429CF3264B7E764AEA2267F87FC821313AC8740DC92E91680Ffalsetrue 10341000x80000000000000007552731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.307{4DF467A6-915E-613B-8222-01000000F001}5676ocsp.digicert.com0type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=519CDD4EBABF8F0EE81902DAA062BBC1,SHA256=65052FD1D5963BE1E2700A3A104B070E62EAFDA283676775A83A4B16E8790373falsetrue 10341000x80000000000000007552727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.766{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.762{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.762{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=300DDF10D7FC3ECAC67A900799C920CD,SHA256=C4AFCBAC625CBA3DB5EC4BF2AB8F12AEB277F842DD77D37DF7111BB6FB6E378Bfalsetrue 10341000x80000000000000007552724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.762{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.762{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=6DFC02408CD5C2A303381C33C9C6F446,SHA256=6AEC501DBF5DD7930C83B8D9D31442FE20014014138DF7478FE26C77729C0545falsetrue 10341000x80000000000000007552722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.759{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.759{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=9E39917D8945B9986571E172B268BF07,SHA256=5079A0CD0D7EDBD156B25D42336063ADF527C91278A89F6827A028DC80C6EFFAfalsetrue 10341000x80000000000000007552720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.756{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.756{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=55582FC0CA2A1A05A56BA9F007D40627,SHA256=BBE961E56B4329061EAE35818B739E3D0E41F7C6BD8F733D843E97ACFF827A41falsetrue 10341000x80000000000000007552718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.753{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=53BF6965394E36E98922F769F6661728,SHA256=5991BDA8FD6C002464A92808C86FA2B20D05C6E00C8ABF5F9CC55CD32F9D2B9Efalsetrue 10341000x80000000000000007552716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.749{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.749{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=8CD57EA5BA745ED569FE63FD5B9E8725,SHA256=2806595601A25D391AFF40C80C89360FC391EE40F91DA64AB8AD5B6AB0908685falsetrue 10341000x80000000000000007552714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.742{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.742{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=F5618E9F8C099E1A5B2BB932050A2DCA,SHA256=85DCDB97D1BE22C6172150FB6E953107AA292D5C9C6CF7322AE24CB347FD56AFfalsetrue 354300x80000000000000007552712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:35.127{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56789-false52.113.194.132-443https 10341000x80000000000000007552711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.742{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.742{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.738{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.738{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=725CF7F3FB52BFE52CBA05838D8944FE,SHA256=246BF4111340287EBC8CBCC6272D7141EA7D3D5B47A5F6783E3CA9F376C84B7Cfalsetrue 10341000x80000000000000007552707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.734{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.734{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=F4410FF535C76C3B62C9BCAD62D520C8,SHA256=81F874239D1B18685A1F2871A1A254DC9B0751E28BE11629AC5B25E8A770D57Dfalsetrue 10341000x80000000000000007552705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.734{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.730{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\WNZDEMR0.cookieMD5=7647DBDE69C5832AD1AA9BA342245542,SHA256=69B0CC22D65D3A4CE98BAF23E33384444F5AD919519873DA38F394064E3926B1falsetrue 11241100x80000000000000007552703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.730{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\21V0GGEK.cookie2021-09-10 17:09:54.726 11241100x80000000000000007552702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EE74DF39409CA0BB9586D44621B0FE51,SHA256=BEA103E7CBADC4471986637162764538B72931E6E3C0DCA03E25B0C837EC33DDfalsetrue 10341000x80000000000000007552700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.566{4DF467A6-9162-613B-8422-01000000F001}63923652C:\Windows\system32\sppsvc.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000007552699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.566{4DF467A6-9162-613B-8422-01000000F001}63923652C:\Windows\system32\sppsvc.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007552698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.541{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007552697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=07BBDBC14CD1EDC9BA31F28937E95420,SHA256=6C49CA0351D1508D9E12EC4C7A5518EC84244B60A08B0A2B7521A4D87E40E5E3falsetrue 11241100x80000000000000007552695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007552694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.529{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.525{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.521{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.517{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.509{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.505{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.501{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.497{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.497{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.493{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.493{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=04C6543436CE7E8E0CEAC8AF6E10D273,SHA256=AE96AEA5FDFC6DAC68AEF5036FB29217D6203137D4886ECCCE03872A37DD3C2Afalsetrue 10341000x80000000000000007552683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.489{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.489{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=61942A432FE05E90243986404BE8C2EA,SHA256=7D18C18D9E35CFA10B0C539269791FCD34B6378A4D6FCF506042506AA6073EF6falsetrue 10341000x80000000000000007552681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.489{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.489{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=33FAC7B1FA56C46D7B3C06D5A08908AE,SHA256=155FC26B8B0463AC77C71774D46292EA88F1ED160B91FAB412086E2E558BEA3Cfalsetrue 10341000x80000000000000007552679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.485{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.485{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=FCB776DD9CB63D893F91880E53881CE8,SHA256=6263728EA9E4C55E38E16613225872576D28D5F5E4CF5BA898D472E714C779CBfalsetrue 10341000x80000000000000007552677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.481{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.481{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=D7B8DD6E5A80E54BD7A3AF7CFCB8DD69,SHA256=321AB2ED0634155ED525F625F1FF396453A2F27C8F3B78CF0B0D2FFC6962CE7Ffalsetrue 10341000x80000000000000007552675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.477{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.477{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=8EAD84E559EEC7138446A72E6CC468A5,SHA256=F3006E304E7E082D1FE691801A94CCA70B79806E1E32816BE03039C54F894D39falsetrue 10341000x80000000000000007552673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.473{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.473{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=EC6EAD5D3AECC5FAD138626E38AE65D6,SHA256=EE42F73171D45EB8C090E3FB79E5327411A5733E66C8CF73DD255059B799D964falsetrue 10341000x80000000000000007552671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.469{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.469{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=AFB2CB4CD1589855D7F5EB13F933097C,SHA256=F2C31682EFED0FC0D6747C2AFD086D4ACC3BE4A1922A1737275545C0943C10E4falsetrue 10341000x80000000000000007552669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.465{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.465{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=92CDF6E773C518E5D438D14B2D26B42F,SHA256=90CD2E3F9EC90E043BA5A35F83449E356B6F6B87B4FBAA6FC497408A3F5976E9falsetrue 10341000x80000000000000007552667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.461{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.461{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=E6BE9179911E399F7A9B22EB3C306EDF,SHA256=E995894C67E3E790376039AA1649F9752E97B11BD6E4CBF59B8EF3D059B96599falsetrue 10341000x80000000000000007552665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.460{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.454{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\3EVO8C85.cookieMD5=F1142E81FAE2A0BFD91B4ED5C141EE99,SHA256=43D7329536B85840A55B298309369A0D4C8BB69DCFF438F7C0DEDC5BAECDAFC6falsetrue 11241100x80000000000000007552663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.453{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\WNZDEMR0.cookie2021-09-10 17:09:54.453 11241100x80000000000000007552662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E0662774DF01AD140A6769CFCACB52D2,SHA256=BDC1BFEA78399907F8DA00E46AB27445DCA0A739B0534A9D3916B6924489BF92falsetrue 734700x80000000000000007552660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.389{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007552659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.389{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4583 (rs1_release.210730-1850)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=70045B78DCFD4DE800A61A51E60D83DC,SHA256=557A2F2C1F6E766E3CBE8A6E91F7614717848B754242097E820C32EED148A530trueMicrosoft WindowsValid 11241100x80000000000000007552658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007552657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47C9AD000C7C548081FD5F34EEFFC83D,SHA256=292B7A35EE931021806C0962EDA9F5E52D15750DAFFC5B3FD1DEA264A6558F46falsetrue 11241100x80000000000000007552656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007552655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43FF1967BEF5E59D4C6E304D91FE9891,SHA256=F32F2A4D959BA30D3FBCBAC2F0B7BD27FF109076BF560615473DFB05B37814AEfalsetrue 11241100x80000000000000007552654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007552653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF600067194403AB05660BF21E2C1D7E,SHA256=4235155BA0C8DB57F2AC9D5A7F198DE52B291C21C987245BB4A4E0AEF9B122B6falsetrue 11241100x80000000000000007552652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E0662774DF01AD140A6769CFCACB52D2,SHA256=BDC1BFEA78399907F8DA00E46AB27445DCA0A739B0534A9D3916B6924489BF92falsetrue 11241100x80000000000000007552650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BEA52FF633D7A26A1D07E87115C54EC4,SHA256=97E89E836CD1966DBE405C511C5DCE1B71187E82294166E406AF3574C305FE98falsetrue 734700x80000000000000007552648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid 734700x80000000000000007552647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.365{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid 734700x80000000000000007552646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.361{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.4530 (rs1_release.210705-0736)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=131DCFFFD0F2560BCD89F6ECBCC8A2D1,SHA256=5FB678235EC5BB4417B9D69AD7095A6C13AC1C008FA2647BE09205434E57AA4AtrueMicrosoft WindowsValid 13241300x80000000000000007552645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\LastUser\LastFetchTime13275767394277 13241300x80000000000000007552644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\LastUser\FetchIntervalDWORD (0x00000000) 13241300x80000000000000007552643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\LastUser\PolicyHash(Empty) 13241300x80000000000000007552642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\LastUser\UserId877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 12241200x80000000000000007552641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\LastUser 13241300x80000000000000007552640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\LastFetchTime13275767394277 13241300x80000000000000007552639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\FetchIntervalDWORD (0x00000000) 13241300x80000000000000007552638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\PolicyHash(Empty) 13241300x80000000000000007552637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserId877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 12241200x80000000000000007552636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 12241200x80000000000000007552635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Policies\Microsoft 12241200x80000000000000007552634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.277{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\CloudPolicy 734700x80000000000000007552633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007552632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007552629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007552626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007552625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.261{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.257{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.257{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.257{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.257{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007552600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 12241200x80000000000000007552599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.256{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.250{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007552579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007552578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.249{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000007552556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000007552555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000007552554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000007552553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007552552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007552551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000007552550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000007552549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000007552548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000007552547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000007552546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.241{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000007552545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000007552543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.233{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA 13241300x80000000000000007552519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:54.233{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data 734700x80000000000000007552518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.233{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007552517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.233{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007552516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.233{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x80000000000000007552515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007552510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000007552509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.229{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007552490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.229{4DF467A6-3F46-6132-0A00-00000000F001}6206596C:\Windows\system32\services.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.225{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007552488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.225{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007552487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007552486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007552485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000007552484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007552483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007552482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007552481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.221{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007552480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007552479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007552478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007552477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007552476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid 734700x80000000000000007552475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007552474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007552473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.217{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007552472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007552471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007552470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.213{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007552469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.213{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.209{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007552467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.209{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007552466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.209{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40trueMicrosoft WindowsValid 10341000x80000000000000007552465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.209{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007552464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.209{4DF467A6-3F46-6132-0A00-00000000F001}6206240C:\Windows\system32\services.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007552463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.135{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000007552462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.129{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007552461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:54.129{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x80000000000000007552460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.129{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.129{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007552458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.129{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007552457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.121{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.117{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.113{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.109{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.105{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.101{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.097{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.097{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.093{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.089{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.089{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=EF1ACB46B33C9B84B82DF34E92F0459A,SHA256=A0D2D4EDA4B34B4DB2FEFED7C9F8EBFCCD388BBBF7B1D941B3EAA239EE21DC55falsetrue 10341000x80000000000000007552446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.089{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.089{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=C000D7193C91332EB5D86B52EE6AAAA6,SHA256=92B28F9E5A5B0DE21D3239A9C19004F33A93096F8980D68B88E54C7A9A7D4D92falsetrue 10341000x80000000000000007552444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.089{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.085{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=5C6B53D72205D8775DF8493D4E3670D3,SHA256=F52477ED2A8AC103B754D6419298A9B889BAD0C478429930441B012A336FC5D5falsetrue 10341000x80000000000000007552442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.085{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.085{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=D50BE57DADF34BB5294302908A61D377,SHA256=D9A2FF55EB9610A4F6FFC7C790D7CD12FF0609D87AFEAE264B1BA00FA94F3626falsetrue 10341000x80000000000000007552440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.081{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.081{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=05257C5C13119DE91CCD487447DA25D8,SHA256=5C26AFC51315BF330323DF9F01D4474F31E949917DCC08B2CDEBF6758EFD0BD3falsetrue 10341000x80000000000000007552438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.081{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.077{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=7E9E741E1751DB8D96FD7AC7B3B0811D,SHA256=CDA0C8CD7DE89CC742F9A84CCE5B2B9500545D134CCA80FB8D6E1A083F7D10A3falsetrue 10341000x80000000000000007552436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.077{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.077{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=1C15D43736AB352E5A7AFE5FB55BABD1,SHA256=994F49B693E90845F7A3B00ACC917B96EB858F3023F25B25E6F1309457D1ED80falsetrue 10341000x80000000000000007552434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.073{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.073{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=D3C0349AE3ED202741F84C147A411294,SHA256=39E82E1E55F13D54A15C67BACFCECF3152343B85D28815B7430FF7B9D50D35C3falsetrue 10341000x80000000000000007552432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.069{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.069{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=1D47FAB796162D116BAA85B14FD93FF7,SHA256=5DD0E12372C06B9EE0CB2DD7E191C089E7EE5EDCFE3C97C07C112824A1E2A5E0falsetrue 10341000x80000000000000007552430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.069{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.065{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\SR6I7HMJ.cookieMD5=8F443168705CC6CE58A3F4402FE89A7C,SHA256=906371819B7AD0F3543BB85A1A25ECD2101DC0B73DA6EEA6E9DB7168588D0276falsetrue 11241100x80000000000000007552428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:54.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\3EVO8C85.cookie2021-09-10 17:09:54.061 23542300x80000000000000002131782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ABAF07E2DE1A61B4F3429E3BBC64E5,SHA256=7BF163B6BDAC75C8A56AE12A8DF06DC99EC90CC5FE09EC481FFEF4C243B12497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.817{AEE49BD1-9162-613B-A01B-01000000F101}24604556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9162-613B-A01B-01000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9162-613B-A01B-01000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.685{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9162-613B-A01B-01000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:54.670{AEE49BD1-9162-613B-A01B-01000000F101}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000007552951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.399{4DF467A6-915E-613B-8222-01000000F001}5676roaming.officeapps.live.com0type: 5 prod.roaming1.live.com.akadns.net;type: 5 us2.roaming1.live.com.akadns.net;::ffff:52.109.0.29;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.263{4DF467A6-915E-613B-8222-01000000F001}5676nam10.dataservice.protection.outlook.com0::ffff:104.47.55.16;::ffff:104.47.70.16;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.194{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007552945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007552944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=789455A058B7EBDEAE8F25757FD08272,SHA256=66196E2E548A44A9AC6A056894526AE1AA9485AF5DD0DA1A299A7CE9EC157D00falsetrue 11241100x80000000000000007552943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007552942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ECE68E6FB8FFEBC3F02B7BC12D288B35,SHA256=8E0BF0FB4571B88FECDE3FFECBD3FBBBE059BEC260FFDCFD86E10A38CBF0D2FBfalsetrue 11241100x80000000000000007552941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 11241100x80000000000000007552940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007552939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F81995C9B19E0BD90F6EDE31DF88D595,SHA256=97F5744F04BA17ACC2F6559BF28D6444062A808D27AF45B5E3AF3DA88722878Dfalsetrue 23542300x80000000000000007552938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DBAA0DF203A17F78BFCC65B68F13D266,SHA256=5944D2B16F6E9F8BA8742CAA6ED5155266FEF6DABBACDFE809041D5D94B42902falsetrue 11241100x80000000000000007552937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.618{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007552936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.618{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007552935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.610{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007552934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.602{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007552933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.602{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.594{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.594{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007552930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.586{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.586{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.578{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.578{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.570{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.570{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.570{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.570{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=CA3B96648E44EAA77B738489ECEC87A8,SHA256=B208B5CE98E82325BC5721E016069E40E05272CAE661E3AE78D2279492EFC8CAfalsetrue 10341000x80000000000000007552922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=4D5906927247F3D172BB9B2A779E8C20,SHA256=4B8166D117BCC8720F1F2EABF24657433102F073C70891C0725BCC189FB125ACfalsetrue 10341000x80000000000000007552920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=0A96D5876D5C54CE1FBE7BCCDEB737E2,SHA256=2DECF2E75870A8825886BCF4B89AA84481D2D02B51B27498B0DD0EE84D10E9FBfalsetrue 10341000x80000000000000007552918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=757EA610FBB7E19D6139F22FBFCE16EB,SHA256=332FE266BE1A480260933E6FE34D3A9B9F2673019D14CEB242D81FF3559E6A37falsetrue 10341000x80000000000000007552916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.562{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.561{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=CF788C81BA70A036BA63D2A597EB4D25,SHA256=EB6D6252FB4183E13B25133D987D56A42970B29CBD1154BF5612E682686DEFF9falsetrue 10341000x80000000000000007552914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.558{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.558{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=F7C7E4278F4E1AD8FF421AD8924DA640,SHA256=CE8F1F22393830A9D03540D85467D3FBCF1924C9D531257086B3E7C29405FA5Dfalsetrue 10341000x80000000000000007552912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.555{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.555{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=2E2DF2EC551607FCB9B22908BE4E16EE,SHA256=7F81BDF4880EF8D7AFBCC8FF1B9B0550F32B12331423F11AF9FEE234244E55E3falsetrue 10341000x80000000000000007552910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.551{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.551{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=45A469534652C30A3FB8FAA3EACCA2E5,SHA256=DAA232C810DF7CC846E667870C7B1EC090C9C26F7E55FEDF46750CCEFAAE859Ffalsetrue 10341000x80000000000000007552908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.543{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.543{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=36ADDDD145D6F63540E76C95CFFDF9C7,SHA256=CD11656AD615FA012526B4C71AE76261D3B31B5C4ED8F72883D4FDAD61EDAE2Dfalsetrue 10341000x80000000000000007552906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.543{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.543{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=09A9E7904B4D4627F822433D2835F9FD,SHA256=8A8456C7E390F88577F1AC8A52F31ED6F99104DB0A109E7304D62A3917FC0845falsetrue 10341000x80000000000000007552904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.535{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.535{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=2C718A4946D341E392989CE3AB371056,SHA256=AF069B0390000D40564B327793A5CE15B468030FC93925C833F1828FCA6DB82Ffalsetrue 10341000x80000000000000007552902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.527{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.527{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=B4072AD9625708B249ACB766CB530F3A,SHA256=D1F1CF8A8AD21C75750E33A89DF5809C21DAB4228648ABE05A6135FD3C9DF2DCfalsetrue 10341000x80000000000000007552900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.527{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.522{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\Y34QBFT8.cookieMD5=4BC4394D15C650D01B64A2736EEFE56C,SHA256=84B10900658E7F2155D3F386760AE478309D6DE7D2F7F923F452D42254FB21BCfalsetrue 11241100x80000000000000007552898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.522{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\KAZ14XTS.cookie2021-09-10 17:09:55.522 11241100x80000000000000007552897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007552896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=84746D3B1C8B55562D1E0E62BDCBC984,SHA256=A7DAB20B59AB2008BDC62CAF9AD5BE386D0C37C828EDCCECC44A7D214E2A7BA3falsetrue 11241100x80000000000000007552895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007552894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=AEE57490A0762C77C460CC3D9666A963,SHA256=F3F55D525905B78053A98B9146F999483AC531EAB1676147D1314F41BFD1BEB6falsetrue 11241100x80000000000000007552893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007552892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=EC503790FCE823057B3472DF87C246FB,SHA256=822E8899CC8E130E006B752EE5AC95D6E38724E9272EC9F119B8742AB9BCC69Bfalsetrue 11241100x80000000000000007552891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007552890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.382{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=ABDB670A7526AD04B97E4F8AEE66DDD0,SHA256=BE19182237183EB358B56B929AEFDB992156A2F1954E795A192FFA8334B588F3falsetrue 11241100x80000000000000007552889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.378{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007552888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.378{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=1644A28636DA4CA915F6B25DC8161EB2,SHA256=217C56638EA5C41A0B3F2EA8BB4CD21AECB4C2E33BDCE9D24F1FE5905C22615Afalsetrue 734700x80000000000000007552887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.374{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\davhlpr.dll10.0.14393.0 (rs1_release.160715-1616)DAV Helper DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdavhlpr.DLLMD5=D7A5CB6257EA5F99F80A1075BBFEEB41,SHA256=4720811BED40F9998038BCEC6F941E418AB6D0305AB15AFB248F49CC02C64D74trueMicrosoft WindowsValid 12241200x80000000000000007552886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007552885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007552884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007552883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007552881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 11241100x80000000000000007552879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.378{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 12241200x80000000000000007552878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000007552867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.378{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=E4BAFD1D231CB90AEC89F55FE21C264E,SHA256=EF60D6C46330383D1ACB9441BE79D54E944D4C3B19D8F48313A5413624D8EE3Cfalsetrue 12241200x80000000000000007552866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007552865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007552864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007552863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007552861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.374{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.374{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007552859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:09:55.374{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007552858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.374{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007552857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.138{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007552856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.130{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007552855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.126{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007552854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.122{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007552853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.114{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007552852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.110{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 23542300x80000000000000007552851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.110{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\776E5CD7-B945-49B9-A6BD-F174EE5527EEMD5=C770B8B20F6BD67B3A7632CCD5D1E930,SHA256=A85ACDB32CB67ADBFF99E3B271F3B73818C76B0F7B9983FADD7F4380CD9F0B19falsetrue 13241300x80000000000000007552850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:55.106{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\LastCleanBinary Data 13241300x80000000000000007552849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:55.106{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\ManualTakStatusDWORD (0x00000021) 13241300x80000000000000007552848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:09:55.106{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001b) 11241100x80000000000000007552847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.106{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007552846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.102{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007552845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.098{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007552844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.098{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007552843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.094{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007552842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.090{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007552841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.090{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.090{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=8933276DFBD3B50DD01D88E9211B7852,SHA256=00C3A7C17C569587B0E86ABD751EDE1B3F2F29D0A3B2BE35E66B375739B41B94falsetrue 10341000x80000000000000007552839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.086{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.086{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=2A4BB5987CD0D621E8746483283E9542,SHA256=C719776163FF26219B511D71B8D69DBBBDBE5D612B836DC06C157E02D86CD01Efalsetrue 10341000x80000000000000007552837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.086{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.086{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=B4057E2683DA6D579E239246FA6D387C,SHA256=CCE2A3F8A226A7D0B3E8A327D6A8388E2322DE255A335D78824404E0A87CDD16falsetrue 10341000x80000000000000007552835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.082{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.082{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=C9EDDAE0D14D47E94662FBDBD972025A,SHA256=1ABBE04A54FF8E8853F9B671F181B61EE23DE580C96DC54F6DEA99545E324136falsetrue 10341000x80000000000000007552833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.078{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.078{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=7065F5CED6E84BAE51CD1172F59F3067,SHA256=0DD4D7BC89ED5B6EDF4D586CFE7893CBE7B021DCAF2550205C3D179299AB247Ffalsetrue 10341000x80000000000000007552831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.078{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.078{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=A2DBE058BF41DDC20CDE3696EA14C06D,SHA256=FD1728563425E8E6BBAC86A9B2E514514D666A2BCAC6DA12236CAF95A170BBF9falsetrue 10341000x80000000000000007552829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.074{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.074{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=AD9A37962077FB0A5F5D9129AA2E2F7C,SHA256=B52076BDF559285B8A2E3545372642EB5E1A282EAFB3F2DBF5F4F65AAC4F334Cfalsetrue 10341000x80000000000000007552827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.070{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.070{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=0F4AFBC0A6B5EE80DC384A7EAA9F5BE1,SHA256=D266AD1C8F0E7E877F2E3949038245F6485857501B9DF4E1A4A52AB614EE7B15falsetrue 10341000x80000000000000007552825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.066{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.066{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=BFED586A8CACDE788CF3628A815A02A1,SHA256=D8689900A1D2260725F1C6D2D6C6B78A9699A6735941889DF707298293F047C9falsetrue 10341000x80000000000000007552823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.062{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.062{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=C70E26677314C1F8159F051C48FB1365,SHA256=B96C9081A5EE19B00D6D1249845E1877AD50DCFBA1CEF04ECC733DC2F3991BE6falsetrue 10341000x80000000000000007552821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.058{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007552820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.057{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=C847A87202434801074F0E11EC3638AA,SHA256=4CC099F9F00EDBAA84004E95D7192B8E2749A45226F93DFFAA8DAC0271922DC7falsetrue 10341000x80000000000000007552819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.057{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007552818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E0FDB87C8B5A6AA482C782B0B43B806,SHA256=124E6860343D92E8A12CA85B866F037B66E111A7B8862C97F2019E2A81831085falsetrue 23542300x80000000000000007552816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.052{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\21V0GGEK.cookieMD5=3699BBEC599E785A4CD923EEDBDC8988,SHA256=1847FC6171AA38A81A83368501E051B74B2E2E43A181C808F4BA6AC384C52996falsetrue 11241100x80000000000000007552815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.051{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\Y34QBFT8.cookie2021-09-10 17:09:55.051 11241100x80000000000000007552814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007552813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:55.047{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=495215B47FA705F7BE5850C2773DC01B,SHA256=CFB6AD8B85D6DBAED6690EF65423A9C029E0FAEF2911ABE1DE2DFAF10267CB01falsetrue 23542300x80000000000000002131798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.753{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBC885123C9814088F1D88785F3F50A,SHA256=78AED18D41E21DC2699A6F394170BC161AA461911A9781C3488848E1B4DC8E82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9163-613B-A11B-01000000F101}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9163-613B-A11B-01000000F101}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.369{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9163-613B-A11B-01000000F101}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.354{AEE49BD1-9163-613B-A11B-01000000F101}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3760F5A1B2AB2281ACECD9BE643FDF58,SHA256=FD636AF3963049155EF6C7EEFF4A710A415D7A8056387164AA179F19B0D3960F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:55.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25232A5B8BC7FFD0B7C21B046BC2523,SHA256=3E6E28EDD599902743556781D3AC192BD5993D07CAD302B305265DD3CA385342,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007552973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.911{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm2021-09-10 17:09:56.911 11241100x80000000000000007552972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.911{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal2021-09-10 17:09:56.903 734700x80000000000000007552971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.903{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid 22542200x80000000000000007552970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.996{4DF467A6-915E-613B-8222-01000000F001}5676ols.officeapps.live.com0type: 5 prod.ols.live.com.akadns.net;::ffff:52.109.2.11;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.967{4DF467A6-915E-613B-8222-01000000F001}5676outlook.office365.com0type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:40.97.119.194;::ffff:40.97.84.34;::ffff:52.96.119.114;::ffff:52.96.164.66;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007552966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.742{4DF467A6-3F58-6132-2B00-00000000F001}294826.43.47.104.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007552965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.687{4DF467A6-915E-613B-8222-01000000F001}5676clients.config.office.net0type: 5 geo.clients.config.office.akadns.net;type: 5 amr.clients.config.office.akadns.net;::ffff:13.89.141.56;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.787{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007552963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007552962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59CA1FE6AC044B96B6EFAA8667DBF442,SHA256=E4C096C550E2387DB6B832EB3C3DD8434B0A1CCA66FFA32239DB3397B870C08Bfalsetrue 354300x80000000000000007552961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.444{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56801-false52.109.0.29-443https 10341000x80000000000000007552960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.003{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.003{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.420{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58958- 354300x80000000000000007552957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.300{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56800-false104.47.55.16-443https 10341000x80000000000000007552956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.003{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.003{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.063{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56797-false23.100.32.94-443https 354300x80000000000000007552953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.745{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65089- 354300x80000000000000007552952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:36.745{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57369- 23542300x80000000000000002131814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.753{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95A7461327EC20F673840D91A722A40,SHA256=1D5D21E8BEBDF33F0DDABBE471D9F6FE02B7177C7CFBAADBCB7BB8750B0193E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.400{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3760F5A1B2AB2281ACECD9BE643FDF58,SHA256=FD636AF3963049155EF6C7EEFF4A710A415D7A8056387164AA179F19B0D3960F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:46.873{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62375-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002131811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9164-613B-A21B-01000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9164-613B-A21B-01000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.053{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9164-613B-A21B-01000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:56.038{AEE49BD1-9164-613B-A21B-01000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007552995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007552994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26EFD44118A7D2D8705DE5C0C8E33458,SHA256=605C74D0D680CFD73856BA4C3BFD6BEA1A6DA701102BC7A80CBE15D86B0106AEfalsetrue 22542200x80000000000000007552993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.818{4DF467A6-3F58-6132-2B00-00000000F001}294894.32.100.23.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007552992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.473{4DF467A6-915E-613B-8222-01000000F001}5676substrate.office.com0type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:40.97.84.34;::ffff:52.96.119.114;::ffff:52.96.164.66;::ffff:40.97.119.194;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007552991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.788{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56807-false40.97.84.34-443https 10341000x80000000000000007552989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.496{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58169- 354300x80000000000000007552986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.041{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56804-false52.109.2.11-443https 10341000x80000000000000007552985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.018{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51235- 354300x80000000000000007552982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.006{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56803-false40.97.119.194-443https 10341000x80000000000000007552981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.989{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50205- 354300x80000000000000007552978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.767{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56802-false13.89.141.56-443https 10341000x80000000000000007552977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.012{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007552975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.746{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61884- 354300x80000000000000007552974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:37.718{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61884- 23542300x80000000000000002131815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:57.786{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8778E4FA1936640B8AD09C715706CE12,SHA256=8E8C21A7E4916A760889530ECFF5D4418E8AE3A0E62637022B13BDA8C719CEF4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007553016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:40.242{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.789{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007553014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:40.207{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.789{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007553012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.863{4DF467A6-3F58-6132-2B00-00000000F001}294856.141.89.13.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007553011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.806{4DF467A6-3F58-6132-2B00-00000000F001}294811.2.109.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007553010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.773{4DF467A6-3F58-6132-2B00-00000000F001}294834.84.97.40.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007553009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.771{4DF467A6-3F58-6132-2B00-00000000F001}2948194.119.97.40.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007553008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.204{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.789{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.513{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007553005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.513{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D64CBF5131346E1FE5BD15C5F72B7E9B,SHA256=C1E79808B06197BE0047A9E34FCBD3B88C661FAC876B3FC02AF84B34A36FA5EEfalsetrue 734700x80000000000000007553004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:58.405{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\hlink.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Microsoft Office 2000 componentMicrosoft® Windows® Operating SystemMicrosoft Corporationhlink.dllMD5=FD7A5F4DF14E2D70CE268E22C5A56650,SHA256=E159200E7E4F627FDCF37230F12412B45C18FB1D3EFB1D3F06B4FE1BAA205351trueMicrosoft WindowsValid 354300x80000000000000007553003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.780{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63298- 354300x80000000000000007553002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.780{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59205- 354300x80000000000000007553001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.780{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61450- 354300x80000000000000007553000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.749{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59205- 354300x80000000000000007552999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.748{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63298- 354300x80000000000000007552998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:39.748{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61450- 354300x80000000000000007552997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.747{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59998- 354300x80000000000000007552996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:38.720{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59998- 23542300x80000000000000002131816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:58.803{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F420E58DC6CF6168918A2559ADD436C4,SHA256=333641F59190C9FBE6D84351BE2AD3F3B251CD8301CD73967F462865D03799B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:59.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:59.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53EB3CE27C329B7969DBE7C72C1E6AC,SHA256=13CEF3AC78579710C6C8D66EF5BFF42B4806C4A47B1DAF91D5B13DC5840CAB81falsetrue 354300x80000000000000007553017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:40.048{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56810-false10.0.1.12-8000- 23542300x80000000000000002131817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:59.805{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889345C9AB9562F267F4D5C81EFEA4D8,SHA256=5BD614914CA5E5ED8027BD8588CCF4A18433C1821B49E3C1F11D7450C350B33C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=590DC3D2810E844CDBFD6D4FAB277202,SHA256=529068584E0650119A20C4D6AB920BFABBAA05B86DE2B22AB528AA1280D2B1ABfalsetrue 11241100x80000000000000007553031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=64D63EA7F95AF5C74ED2F4A6823D80A8,SHA256=29761FBC3A0932E37AA222E8C11D605F52C2CCC641C97193A564633A6E6E6B8Ffalsetrue 11241100x80000000000000007553029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=D497D83686540AA8EC61A5EAF4207D37,SHA256=9BDC60488DA48CBFED50E7C8680444F216AB2382CBD6D7C701C2C8DA27897705falsetrue 11241100x80000000000000007553027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=CA53B9F9CDA2E889A3AE6E1FC1BB8AC9,SHA256=9DD8E8CE92E1508B2934339D0FFEABE884E19D30DDB76ACC3C06E5DBD5C60340falsetrue 11241100x80000000000000007553025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=331E8E0880A7575736FCF18C572697DB,SHA256=C4A194BD3189DCB12DFC8B773DEE81114A68B4F0F8D13829E7CC486FBFDAA480falsetrue 11241100x80000000000000007553023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BA6366D4D1BD4A7308DF5D96BD21FD8B,SHA256=A7BCF0445DE3D6C6038D1785E2B97A0CF0E983FAD98C25C142FFE03007520112falsetrue 11241100x80000000000000007553021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.390{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=A9BB0FA38AA0299DC1491FF903C53E47,SHA256=6571BF576067A2A3622B07FE93B52A7430FE70B214105F7550C23745A21C349Cfalsetrue 23542300x80000000000000002131819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:00.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5C2C482A94587B951E8BE61FBBF2AC,SHA256=E4C1B81203560B325477D705B057D42FDD25B9A5D932D1CDA659E6F5C99FF4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:00.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6001E0FCDD042E79B1E5460595D65CDB,SHA256=C0CA5362E4847178E954AF81A71B790F6E5F4E45256D8A41848598489C3E1CB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52BBFE34C69C72E5677BFD58E7F95CEF,SHA256=645B9E08960CC72591B9F294635DCE0D717A92E76080443381501E72AE19B041falsetrue 11241100x80000000000000007553039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEB7C6A7DEF4923F5A60B8C82476AAF,SHA256=765B976736F4E505772F5004BBCAA649F34387CE22622D79FA36D973F4251ACEfalsetrue 13241300x80000000000000007553037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:01.447{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://hidusi.com/e273caf2ca371919/\EnableBHODWORD (0x00000000) 12241200x80000000000000007553036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:01.447{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://hidusi.com/e273caf2ca371919/ 22542200x80000000000000007553035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:42.259{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.415{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:01.809{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65617D65E2F00D38EEFC5B0730162C6,SHA256=A575650C68606649644219E0E7E42D65C047B639EEB0270EF7CA71B14902485C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:51.961{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62376-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007553043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:02.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:02.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5569A6582746968265698D9DC1BD30B,SHA256=FC523BABB6F989A9ECA0C3AED40251DB37B75E4F40AE67588FCFCA5AD7008F10falsetrue 23542300x80000000000000002131822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:02.810{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A4676CF8196AC861F2AF9258610C59,SHA256=85A1A51616A76CA6A0A7754C78160A9F4BD0352168141C9EB52742B6037B06D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:03.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:03.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0193CF5AB9969FF7BF383A7507CABB,SHA256=B7F5561427BEE3C8EDA2E2E65C5927B72205A5E3E98FDE25DA2494595367E669falsetrue 22542200x80000000000000007553047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.838{4DF467A6-915E-613B-8222-01000000F001}5676self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 onedscolprdcus13.centralus.cloudapp.azure.com;::ffff:52.182.143.211;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:03.458{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007553045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.284{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:03.456{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:03.812{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568E7AD57EDBE667F97284CA358D4A6C,SHA256=4FC60F5898876414CB7855DBA33A93622A14F3108F06468C5838BE7D942A437E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:04.832{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A4D04763E2E98E731A81C9D016C0EF,SHA256=7E7DBF5441C2EC699DF85E6DF58D35CFE004158A94740FBA929298CD573283B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.861{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1772646C818ED19270F7F2A5B0ED4281,SHA256=21B58AB3FEDF00D06BADB4CBC657A2255159B6B0AC89AEB64A998BD6B0402C37falsetrue 22542200x80000000000000007553064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.330{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.528{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007553062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:46.330{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.528{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007553060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.061{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56823-false10.0.1.12-8000- 354300x80000000000000007553059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:45.031{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56822-false52.182.143.211-443https 10341000x80000000000000007553058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.166{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.165{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007553056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:44.916{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56821-false52.182.143.211-443https 10341000x80000000000000007553055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.164{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.164{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE45CDE70BC2448AF79111EA0244411F,SHA256=F4551181387ADB9BA44ED584971CEF08FEAFECBE038C7DF8A186C3DCF172ADCDfalsetrue 11241100x80000000000000007553051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:05.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A74C6C02CDBCC28EA00A442DFA0561C5,SHA256=04B930F4138AE22424243DA1BC4522C09FFAE6C37F6EC3AE394211FE5D0FDB44falsetrue 23542300x80000000000000002131825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:05.853{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D239FBA83D8B3D32A3BDF283882F73B8,SHA256=135CD51BDCDD73BF57999ECEC9AA9B2E1B0F6E9EA49B72D45C492BF0E42BC4E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007553293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0015) 13241300x80000000000000007553292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0014) 13241300x80000000000000007553291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0015) 13241300x80000000000000007553290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0014) 13241300x80000000000000007553289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a002d) 13241300x80000000000000007553288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a002c) 13241300x80000000000000007553287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0013) 13241300x80000000000000007553286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0013) 13241300x80000000000000007553285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a002b) 13241300x80000000000000007553284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.879{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 10341000x80000000000000007553283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.842{4DF467A6-3EE5-613A-21FA-00000000F001}24287772C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.842{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007553281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.842{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B01C0\VirtualDesktopBinary Data 12241200x80000000000000007553280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.842{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B01C0 10341000x80000000000000007553279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.842{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.795{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000007553277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.795{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000007553276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.795{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-US2021-09-08 15:57:53.835 23542300x80000000000000007553275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.795{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 734700x80000000000000007553274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.727{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 734700x80000000000000007553273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.727{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000007553272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.727{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4467 (rs1_release.210604-1844)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=4D2537567A93ABF1D93CB7A7E76F954C,SHA256=5740181B56927C0DC66A6BCECA15EA2806A0ED471A01F785AD47C8C73A1DF85FtrueMicrosoft WindowsValid 12241200x80000000000000007553271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007553269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x80000000000000007553268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.680{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007553244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007553240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.663{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 12241200x80000000000000007553239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 10341000x80000000000000007553236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007553235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000007553231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007553230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000007553226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007553225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007553222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007553221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007553212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Project details (1).docx.LNK2021-09-10 17:10:06.664 23542300x80000000000000007553211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Project details (1).docx.LNKMD5=B89BF365415801C72C43792478C38FEC,SHA256=24432B759E73421E24D06D056B69517D3977076959D60B00FE7540206258F661falsetrue 12241200x80000000000000007553210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007553209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}56765592C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Project details (1).docx.LNK2021-09-10 17:10:06.664 734700x80000000000000007553197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.664{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 12241200x80000000000000007553196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.663{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 18141800x80000000000000007553195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:06.663{4DF467A6-915E-613B-8222-01000000F001}5676\srvsvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 12241200x80000000000000007553194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.663{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007553191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 12241200x80000000000000007553190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.661{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.660{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000007553168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:06.659{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007553167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:06.659{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\!/ 12241200x80000000000000007553166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007553164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x0 12241200x80000000000000007553163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007553162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2468CDCC\2468CDCCBinary Data 12241200x80000000000000007553161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2468CDCC 12241200x80000000000000007553160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery 12241200x80000000000000007553158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007553157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PointsBinary Data 13241300x80000000000000007553156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007553155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\TypeDWORD (0x00000000) 12241200x80000000000000007553154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007553153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xb3efc0cb) 12241200x80000000000000007553152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007553151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007553150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007553148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007553147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007553146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.642{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007553145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}56768176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}56768176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}56768176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007553142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 3[F00000000][T01D7A59EFF901F10][O00000000]*C:\Users\Administrator\Desktop\5047669871509504\ 13241300x80000000000000007553141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 2[F00000000][T01D7A5A1B56CE7D0][O00000000]*C:\Users\Administrator\Desktop\5175182148927488\ 13241300x80000000000000007553140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 1[F00000000][T01D7A666B3EFA120][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ 13241300x80000000000000007553139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 3[F00000000][T01D7A59EFF901F10][O00000000]*C:\Users\Administrator\Desktop\5047669871509504\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007553138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 2[F00000000][T01D7A5A1B56CE7D0][O00000000]*C:\Users\Administrator\Desktop\5175182148927488\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007553137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.642{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 1[F00000000][T01D7A666B3EFA120][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 12241200x80000000000000007553136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007553135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.611{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid 12241200x80000000000000007553134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.627{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007553110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.611{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 12241200x80000000000000007553109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.611{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007553108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.595{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 11241100x80000000000000007553107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.580{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{384FFB93-52A7-4370-ACCB-1CC9CAAFDFE8}.tmp2021-09-10 17:10:06.580 11241100x80000000000000007553106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.580{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{FF75C199-346D-41CB-AEE3-E35C36830989}.tmp2021-09-10 17:10:06.580 13241300x80000000000000007553105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000007553104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000007553103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000007553102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000007553101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a666) 13241300x80000000000000007553100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xb3c20c23) 13241300x80000000000000007553099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a666) 13241300x80000000000000007553098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xb3b06de6) 12241200x80000000000000007553097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007553096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000007553095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000007553094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007553093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000007553092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000007553091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000007553090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000007553089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000007553088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000007553087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000007553086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000007553085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000007553084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000007553083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000007553082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:06.343{4DF467A6-3F46-6132-0B00-00000000F001}6368092C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000007553081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000007553080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000007553079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.343{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000007553078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000007553077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000007553076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007553075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000007553074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000007553073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000007553072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000007553071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000007553070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007553069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007553068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000007553067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:06.227{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 23542300x80000000000000002131829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:06.855{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F46A42694B7A8E89B743D1D4C7FB2B7,SHA256=E52F438B804995A0B0AEBFD39BBF7F941ACB5EFBD7C9214D3B4CF26BE5E76225,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:09:57.903{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62377-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:06.116{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB809891B1AEEF73D932DF499FDF8F18,SHA256=1C1E7FBC9F39EDD866B28AF19B3F55F8FB0B12C2F6668D9B3AA0654D48D60FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:06.116{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96CCB3FB1408B393E599EE025446C761,SHA256=E1E88FA6AC502EF3BA3FB3A8CBB27C4A96331BA6828E41FB3824E756AE54B095,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8C5B42CE18FDC4DC44069176EF935C,SHA256=B55113BD097FFFBDF66DB80FA47F0F60F421C769D15CAD92F60307B5F78D4F67falsetrue 13241300x80000000000000007553339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:07.326{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\WEF\LastUpdate\Word\CorpCatalogRecheckTimeTimeStamp7 10 17 10 8 121 5 252 0 00 11241100x80000000000000007553338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377D5F6EC0CB2BF00A871B5A034DC14D,SHA256=BFED705E594531CADBDE786FF3B6166A02389042A2AB2EFACCC97BD53853F14Cfalsetrue 11241100x80000000000000007553336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.241{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007553335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.241{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007553334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.241{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007553333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.226{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007553332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.226{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007553331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.226{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007553330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.210{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007553329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.210{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007553328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.210{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007553327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.210{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007553326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007553325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007553324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007553323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=C033E3B7C6A21B2C72CBC80AADA477B7,SHA256=4B1C655B7B97237FA1841AB2BE0578C6E57A47CD596E266ED717E3D5CDAE37EDfalsetrue 10341000x80000000000000007553321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=A02EB63947F47F236016E58A3EB5FD5B,SHA256=570B1CF6A4805F092443081FDF818D4D4EE1E493A27F256748CFB3947A6B4A5Bfalsetrue 10341000x80000000000000007553319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.195{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=BF864966F85AC9344DE12B05FE487B73,SHA256=B952B4392F9A42B0ABD2395F74515E86561A4FD7B81BE69EB6DE8DD4C0348536falsetrue 10341000x80000000000000007553317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=BC69C5EFA344FE6000BD0A0EF2615A96,SHA256=ADEDC6F04EAFCFD4C42BDC0B29960255183E49E0311722CEFF6541245FEAA5EFfalsetrue 10341000x80000000000000007553315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=E07F640E82FED4420F46434158853409,SHA256=212F90EFDA6970D1228AA577D7FB8601165D7DE93382FDBE06262D1F0B456556falsetrue 10341000x80000000000000007553313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=56992D46C647C2D0466F7AD18EE8D8FB,SHA256=A6A4F020237A31B5D8936A6C3010DCC692C796481C32EE6F29F4C3F831C3097Bfalsetrue 10341000x80000000000000007553311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=2992872732445578E8728C5EA7BC1079,SHA256=7E1CBA94C63A4D69CF2E3E47F7AB26CE3B292BE05ABCD2AAECAB6B9BC97C48E8falsetrue 10341000x80000000000000007553309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.179{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=88718B829047D9E29BEF39611F113880,SHA256=7A6DD31BEDCDFDBDBB96E8D4C554556784ED285D8708BCABB1D9ED2624F968E3falsetrue 10341000x80000000000000007553307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=7698A097CAC390573C0AF6F0E055DF86,SHA256=92995BDB1E929D05172BFDA1AA6205888A44FC1830BB757B4BF02F79E40774EBfalsetrue 10341000x80000000000000007553305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=67E7BAEAF928D5AB44CF70A7B1D8A6D3,SHA256=2EFD78ACA73D0A802B4492DE50113CF9F6A6CFE60AEC2B64CF6F477044BF4790falsetrue 10341000x80000000000000007553303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.163{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=E3422AB662DE5FBA423E0CBBA96543BB,SHA256=B7595865CB6E53D61E4CDC1FC2ED3908C5EE58751D82DD3A73BEB6A1B2798D23falsetrue 10341000x80000000000000007553301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.162{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.161{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=7CF38687433A760D170710869E70A0DE,SHA256=BEB6B3BEE9EC2ACE0ED509D81D171494049BEF188972AA126057AF3874284ED6falsetrue 10341000x80000000000000007553299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.142{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.142{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=F9CD8AB04617AF38B62CBE4291D636E2,SHA256=59DDE85F9A41BEE1CF5AA2983177928CB8FFEF9F727116A2A55353D1B753D66Afalsetrue 10341000x80000000000000007553297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.142{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007553296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.142{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\KAZ14XTS.cookieMD5=C76B2DF4E4478064C9BAAB19BF546117,SHA256=7DF65715325C4990116DC718E417E101FD2F736C9202C5970E7A743EA5DAF607falsetrue 11241100x80000000000000007553295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.142{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\SMUOS1QD.cookie2021-09-10 17:10:07.142 10341000x80000000000000007553294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.010{4DF467A6-915E-613B-8222-01000000F001}56766140C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+2313eb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+2301f2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+20f2a8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+20dcc0|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+150d3c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+150c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+c79c65|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+c7f85b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+c799ca|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+beb246|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+173683|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7ca61|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210 10341000x80000000000000002131843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.938{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-916F-613B-A31B-01000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.937{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.937{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.937{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-916F-613B-A31B-01000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.936{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-916F-613B-A31B-01000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.920{AEE49BD1-916F-613B-A31B-01000000F101}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:07.857{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A3118A7C865CDA498DF41C7DF51273,SHA256=F29492F79493FDBB33876FF0D25DAEBA246B0D11BE8CED1A51D2B90C4F06FD22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007553367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.541{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56836-false52.109.2.52-443https 10341000x80000000000000007553366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.792{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.792{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B0ACF4B16A4CDF5DF1805F682DBB76,SHA256=31585E2BF4A157BC5877516E57FA91FE72B5B1F571F24983C68BB877F60130C8falsetrue 22542200x80000000000000007553362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.773{4DF467A6-915E-613B-8222-01000000F001}5676odc.officeapps.live.com0type: 5 prod.odcsm1.live.com.akadns.net;type: 5 us2.odcsm1.live.com.akadns.net;::ffff:52.109.2.1;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.257{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007553360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.494{4DF467A6-915E-613B-8222-01000000F001}5676ocws.officeapps.live.com0type: 5 prod.ocws1.live.com.akadns.net;type: 5 us2.ocws1.live.com.akadns.net;::ffff:52.109.2.52;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007553359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.255{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007553358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.795{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61762- 354300x80000000000000007553357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.540{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56837-false52.109.2.52-443https 10341000x80000000000000007553356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.009{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:08.009{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007553354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.511{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62735- 354300x80000000000000007553353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56835-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000007553352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56835-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000007553351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.216{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56834-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007553350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.216{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56834-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007553349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.215{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56833-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007553348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.215{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56833-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007553347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.105{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local56832-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000007553346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.105{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56832-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000007553345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.099{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56831-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007553344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.099{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56831-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007553343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.098{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56830-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007553342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.098{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56830-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 10341000x80000000000000002131858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.741{AEE49BD1-9170-613B-A41B-01000000F101}5100704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9170-613B-A41B-01000000F101}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9170-613B-A41B-01000000F101}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.620{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9170-613B-A41B-01000000F101}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.605{AEE49BD1-9170-613B-A41B-01000000F101}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002131844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:08.056{AEE49BD1-916F-613B-A31B-01000000F101}3724440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=5864FAD8F40973D29D4A31835EFB1276,SHA256=440F89C78A3CF68B30B340471F01538640C6BA660D90CC8D54FD941AAE82AFCBfalsetrue 11241100x80000000000000007553384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BFF58BE1B9E84E4BF1D4603E10C681C5,SHA256=097F4BAF2ED44EBE6DB0381D51B908C45E85FCDB74D8AEF3FEE609766A7E17BCfalsetrue 11241100x80000000000000007553382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=4402B06731C64E023E92910BFC9455E3,SHA256=97BB6AB123ADDE251F27280074101D66CA534DBC9AB943C266838705FF7A6A7Ffalsetrue 11241100x80000000000000007553380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=666907154196BC7A7B203C53D038E0F8,SHA256=39EEA421BEFEFA827FDCE5A38DB1FED2AD3BC0477F8BCB88DA19905301AB1882falsetrue 11241100x80000000000000007553378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=4284C11966802E3189B14D1AE69F0BC4,SHA256=FA5C8114A592E2C9C24DBD3E238415F84118C15E1C6544E72164B3BEBA958D01falsetrue 11241100x80000000000000007553376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.990{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=654BF79F79BE5579BCC7E3ACA1F5A328,SHA256=C0801E8D7C49F9CAE738DC6B8E0D6C4B6BC26D5B66C5C7ED32C4750FF44B55C1falsetrue 13241300x80000000000000007553374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:09.853{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007553373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:09.853{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 354300x80000000000000007553372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:49.817{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56838-false52.109.2.1-443https 10341000x80000000000000007553371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.837{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.837{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:09.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02D47195D1B40C18D0E156F7CD54FC7D,SHA256=06CE647B85C8261329073CBAD504F864690DD911A47A6E4859C4F4F81A52AE88falsetrue 10341000x80000000000000002131874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.303{AEE49BD1-9171-613B-A51B-01000000F101}21566048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9171-613B-A51B-01000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9171-613B-A51B-01000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.172{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9171-613B-A51B-01000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.157{AEE49BD1-9171-613B-A51B-01000000F101}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.140{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB809891B1AEEF73D932DF499FDF8F18,SHA256=1C1E7FBC9F39EDD866B28AF19B3F55F8FB0B12C2F6668D9B3AA0654D48D60FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BF60248E43EBB3DA654D208F18751D,SHA256=2FEA97BA27B085CD1C648C76BFABFF62C0A9FBF17B604E1EEC5981A0932C86CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007553387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:51.024{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56839-false10.0.1.12-8000- 23542300x80000000000000002131876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:10.157{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D127387969BFCD51B1BBC91805E3E35F,SHA256=A35A60EC39AC27CD66B261D2E59B887AB89F0385517456089AB1A40FB05F3B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:10.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021FEA8FC75545E73F6F90D0089BE003,SHA256=C23CA4A79AF1D5307398F9DCDB6BB629DFCA73C96A69DC6BC9BE1BD1C582D490,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:11.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:11.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF293EBA71998BF61A8FCB4624D69F81,SHA256=B2C808619EBE824E80F4DC40CA83888E1B344C83E990B630D382364BDF8F335Ffalsetrue 23542300x80000000000000002131878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:11.622{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:11.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3656B05B30527ABBCC4F424786A0B892,SHA256=CCF3FF4A9A79B833B4D33B7F7C33FB6215746D50B1D000B0997A17851481A295,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1DA7DC2EEB495E656B0CB65874BD251C,SHA256=EA10B0A77B54748D288E57E4E11F0129D9AEE93BE866D4A97160C958B46E6E47falsetrue 11241100x80000000000000007553393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31C53CCD6278BA6E2429173CA6A6D4A,SHA256=065C070FBC8C5FD9E2E23A210654476A47B19A577737C49DA1909547D5CD81A6falsetrue 11241100x80000000000000007553391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0A9E7C928F32C11B324BADDDBF6398,SHA256=F7F81462F6E6FFF86F261EC3310CF0BB0CC3BFE1586B6B378308B2F5C698AD6Bfalsetrue 354300x80000000000000002131881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:03.878{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62378-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:12.323{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8423CA5F334A066A2D6DC0C2C3898954,SHA256=F78347899999E86FCC435CEDE556F10E8EB97A06343E048C4C7FA52E9A5E0EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:12.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5130D7FBB81329CF46747CE1BD93F00F,SHA256=97C84F8973B918FDCF7CF4482B90F12710F6FFEE2D9E3841706130410A73C265,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:04.410{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62379-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002131882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:13.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474349B7B2736B265FCB46B3127A6DE5,SHA256=6C65950830B61A5BAB1724C648B58ACE84FF1F20C2D8B60318C77F3F133723AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007553541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:14.567{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTimeBinary Data 12241200x80000000000000007553540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.567{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate 12241200x80000000000000007553539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.567{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000007553538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.567{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000007553537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000007553536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000007553535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates 12241200x80000000000000007553528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft 12241200x80000000000000007553527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies 12241200x80000000000000007553526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007553518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007553517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007553516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000007553515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000007553514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000007553513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000007553512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000007553511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000007553510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates 12241200x80000000000000007553503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft 12241200x80000000000000007553502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies 12241200x80000000000000007553501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007553493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007553492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007553491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007553490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000007553489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000007553488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000007553487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007553486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000007553485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000007553484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000007553483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000007553482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000007553481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates 12241200x80000000000000007553471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft 12241200x80000000000000007553470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies 12241200x80000000000000007553469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000007553467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000007553466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000007553465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000007553464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000007553457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000007553456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000007553455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000007553454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000007553453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates 12241200x80000000000000007553446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft 12241200x80000000000000007553445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies 12241200x80000000000000007553444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates 12241200x80000000000000007553424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates 12241200x80000000000000007553421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies\Microsoft 12241200x80000000000000007553420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Policies 12241200x80000000000000007553419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates 12241200x80000000000000007553414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007553413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE 12241200x80000000000000007553412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007553411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007553410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007553409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000007553408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000007553407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000007553406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000007553405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007553404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.551{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000007553403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:14.530{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000007553402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.530{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 11241100x80000000000000007553401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F317134FCD4EEBB70944A83CF83B3387,SHA256=13B01D086660B6DAAA5A3734B712D6B99EE94FAD7FD9B3AB4E61717BC0D3C75Efalsetrue 11241100x80000000000000007553399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007553398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CAA8B5916FDC4B3A583AC90B49EED5,SHA256=F581AB9E1F0230474ABD8FFAFB728BAA7DB434E0E55342932F66695E3A5C3A05falsetrue 23542300x80000000000000007553396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:14.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E1B007E604780366E4B6B80A4EDFD6,SHA256=731F1C9D603076C2D75CDA7D89F86AE28A01B0DE348A64D2A776BE8159EADC73falsetrue 23542300x80000000000000002131885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:14.264{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9918MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:14.093{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB711A0601EEC691338C590A576B07EF,SHA256=9813B581028533CC7500B04B2FCA0B7FD954F4017AD864643C7CEBAEC9383CC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F317134FCD4EEBB70944A83CF83B3387,SHA256=13B01D086660B6DAAA5A3734B712D6B99EE94FAD7FD9B3AB4E61717BC0D3C75Efalsetrue 10341000x80000000000000007553557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.281{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.281{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.281{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007553554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:56.101{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56840-false10.0.1.12-8000- 11241100x80000000000000007553553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=B781371C54107AB82F8FAC106EB241C6,SHA256=128C20D12EC9A248766D8E4CF0BBFC8C950101C88EF77583DF82015509860956falsetrue 11241100x80000000000000007553551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BD07E6462F6D934C6D1CB5D6AEE597B1,SHA256=5C7DFF83887A56B957BD03A6BCACBC36E4AAED649EA79AFBB693E9FD78495B1Bfalsetrue 11241100x80000000000000007553549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=877F7755BE1EA55D6420D32D68D35BE3,SHA256=AB8ACA7F28F3AB9DD8F4138E04332BCDA11A65872EE999E1D1E71746D1D69163falsetrue 11241100x80000000000000007553547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F03BC656E9A0A0DC3A5EFF976FA2AF5F,SHA256=69604B4683DBF66E9E66E719D1EF0F7D65E142265F9C423C2C5A3B57F0C0DDA5falsetrue 11241100x80000000000000007553545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=1C5B66E8C7AFDB37B65DD38D4179CEF9,SHA256=241B3A0E3E738703505F62216A19A5C8899035096A15F4AC9D0288F19D74CA0Ffalsetrue 11241100x80000000000000007553543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007553542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:15.013{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=FE6FC3C6C59F014FE7124DD1330A39BB,SHA256=626EC42536124F336AFDC2C55CE9E523A61AB7416FD4D1F84F4C085352F8B4CEfalsetrue 23542300x80000000000000002131887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:15.264{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9919MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:15.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637C97677DDE471CAC307C7238ACB5F4,SHA256=E3762053BD2823A170B746D8C7F61B2B41614A15688366FBA224642BBFB3DF5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:16.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:16.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19095A044CFFE8D1C2126584D0B2DFBA,SHA256=C83CDC2B74A5E7E61761504FB0FEB7BE2F549E74E673D66D5F9F51E5226A3BCEfalsetrue 354300x80000000000000007553562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.403{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57835- 11241100x80000000000000007553561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:16.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:16.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7DB474E0080B08D1156589A90FCFF3,SHA256=28E2104BAC57B1D6E1F95817AB80462254963AD1EA08A80AD4AF667409DA6767falsetrue 23542300x80000000000000002131888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:16.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD34668774F9AC18116133888B66EE55,SHA256=034207F324294C0DD8A4A696BC31353B3A553DE3A79F092B6A6A48B7893DEBD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2468fa2a.TMP2021-09-10 17:10:17.992 734700x80000000000000007553573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000007553572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IEX6MLNBE2I2L2TUN8PW.temp2021-09-08 15:20:54.5192021-09-10 17:10:17.992 11241100x80000000000000007553571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IEX6MLNBE2I2L2TUN8PW.temp2021-09-10 17:10:17.992 13241300x80000000000000007553570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.977{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007553569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.961{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 734700x80000000000000007553568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.946{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 11241100x80000000000000007553567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.462{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.462{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358CA999C06BAE63799874C69250BDF8,SHA256=07C634BBA255D3E0136B026A9A0144821C604DA0DB0CD45193DD7762B06E23D4falsetrue 354300x80000000000000007553565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:09:57.412{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-291.attackrange.local56841-false72.21.81.240-80http 23542300x80000000000000002131889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:17.268{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246CC8E3565247BAACE582C1D159B242,SHA256=CBE545FA0FECEDE0B832BDDDC414FF938DCD1E26004CF0C6231B03B9DA946EC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C20BC443A0FDBD8A68D455B39220BC0,SHA256=CA47823C36439824FB02961C4778711E057C1B17F0E2CF1631D163022DAD5833falsetrue 11241100x80000000000000007553765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9FC1D615FBC5E851BF981351767B658,SHA256=17DC62DC611FD53BBBD1767845DFAF238C203A4F82C052FD09B34BAC7E11BA9Afalsetrue 23542300x80000000000000007553763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAE.tmpMD5=F10DF902980F1D5BEEA96B2C668408A7,SHA256=E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02falsetrue 23542300x80000000000000007553762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA7.tmpMD5=D3C9036E4E1159E832B1B4D2E9D42BF0,SHA256=434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CEfalsetrue 23542300x80000000000000007553761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAD.tmpMD5=205AF51604EF96EF1E8E60212541F742,SHA256=DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2Dfalsetrue 23542300x80000000000000007553760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAB.tmpMD5=6D787B1E223DB6B91B69238062CCA872,SHA256=DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4falsetrue 23542300x80000000000000007553759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAB0.tmpMD5=51804E255C573176039F4D5B55C12AB2,SHA256=3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134Bfalsetrue 23542300x80000000000000007553758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAA.tmpMD5=62863124CDCDA135ECC0E722782CB888,SHA256=23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3falsetrue 11241100x80000000000000007553757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 13241300x80000000000000007553756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\LastUpdateBinary Data 13241300x80000000000000007553755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\NextUpdateBinary Data 13241300x80000000000000007553754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851220[A:TM02851220][F:gosttitle][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab][G:][L:0] 23542300x80000000000000007553753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC1.tmpMD5=91AADBEC4171CFA8292B618492F5EF34,SHA256=7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EAfalsetrue 13241300x80000000000000007553752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851223[A:TM02851223][F:iso690][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab][G:][L:0] 13241300x80000000000000007553751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851224[A:TM02851224][F:iso690nmerical][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab][G:][L:0] 11241100x80000000000000007553750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 13241300x80000000000000007553749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851222[A:TM02851222][F:ieee2006officeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab][G:][L:0] 23542300x80000000000000007553748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FD69DB602A1BDF98AC4C8BE5A783B55,SHA256=81376B8974B7EE5CB1B9C92292887E58BB405E4AC3032CF29F8847F9EBE8D682falsetrue 23542300x80000000000000007553747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA8.tmpMD5=92A819D434A8AAEA2C65F0CC2F33BB3A,SHA256=5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375falsetrue 13241300x80000000000000007553746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851217[A:TM02851217][F:chicago][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab][G:][L:0] 23542300x80000000000000007553745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95490F6C7AF47ACF0843E97FDAD86BBB,SHA256=37B9C0B8C8DEEB7AE861CF3842B5E6DDDF302A7E4ED81FA1DA5BA2CBB887477Ffalsetrue 13241300x80000000000000007553744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851216[A:TM02851216][F:apasixtheditionofficeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab][G:][L:0] 13241300x80000000000000007553743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851227[A:TM02851227][F:sist02][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab][G:][L:0] 23542300x80000000000000007553742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAC.tmpMD5=53EE9DA49D0B84357038ECF376838D2E,SHA256=9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374falsetrue 23542300x80000000000000007553741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEF.tmp\Content.infMD5=9C00979164E78E3B890E56BE2DF00666,SHA256=21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7Bfalsetrue 23542300x80000000000000007553740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEC.tmp\Content.infMD5=F25AC64EC63FA98D9E37782E2E49D6E6,SHA256=834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8ABfalsetrue 13241300x80000000000000007553739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851218[A:TM02851218][F:gb][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab][G:][L:0] 23542300x80000000000000007553738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEB.tmp\Content.infMD5=A0D51783BFEE86F3AC46A810404B6796,SHA256=47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640Ffalsetrue 23542300x80000000000000007553737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAED.tmp\Content.infMD5=4A9A2E8DB82C90608C96008A5B6160EF,SHA256=4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7falsetrue 23542300x80000000000000007553736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEE.tmp\Content.infMD5=9B8D7EFE8A69E41CDC2439C38FE59FAF,SHA256=70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2falsetrue 23542300x80000000000000007553735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC3.tmpMD5=69EDB3BF81C99FE8A94BBA03408C5AE1,SHA256=CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789falsetrue 23542300x80000000000000007553734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEA.tmp\Content.infMD5=C3216C3FC73A4B3FFFE7ED67153AB7B5,SHA256=7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CBfalsetrue 23542300x80000000000000007553733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE9.tmp\Content.infMD5=149948E41627BE5DC454558E12AF2DA4,SHA256=1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776EDfalsetrue 23542300x80000000000000007553732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAF.tmpMD5=C455C4BC4BEC9E0DA67C4D1E53E46D5A,SHA256=40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0falsetrue 23542300x80000000000000007553731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA9.tmpMD5=1D6F8E73A0662A48D332090A4C8C898F,SHA256=8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673falsetrue 23542300x80000000000000007553730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC2.tmpMD5=E033CCBC7BA787A2F824CE0952E57D44,SHA256=D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730falsetrue 13241300x80000000000000007553729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851226[A:TM02851226][F:turabian][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab][G:][L:0] 23542300x80000000000000007553728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE8.tmp\Content.infMD5=877A8A960B2140E3A0A2752550959DB9,SHA256=FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47falsetrue 23542300x80000000000000007553727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE7.tmp\Content.infMD5=C15EB3F4306EBF75D1E7C3C9382DEECC,SHA256=23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7Ffalsetrue 13241300x80000000000000007553726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851219[A:TM02851219][F:gostname][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab][G:][L:0] 23542300x80000000000000007553725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE5.tmp\Content.infMD5=8D9B02CC69FA40564E6C781A9CC9E626,SHA256=1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAEfalsetrue 13241300x80000000000000007553724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851221[A:TM02851221][F:harvardanglia2008officeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab][G:][L:0] 11241100x80000000000000007553723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAED.tmp\Content.inf2021-09-10 17:10:18.177 13241300x80000000000000007553722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851225[A:TM02851225][F:mlaseventheditionofficeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab][G:][L:0] 13241300x80000000000000007553721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033\LastUpdateBinary Data 13241300x80000000000000007553720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033\NextUpdateBinary Data 11241100x80000000000000007553719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEF.tmp\Content.inf2021-09-10 17:10:18.177 11241100x80000000000000007553718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEE.tmp\Content.inf2021-09-10 17:10:18.177 13241300x80000000000000007553717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033\TM02835233[A:TM02835233][F:Text Sidebar (Annual Report Red and Black design)][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab][G:][L:0] 11241100x80000000000000007553716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEC.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.177{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEB.tmp\Content.inf2021-09-10 17:10:18.161 23542300x80000000000000007553714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE4.tmp\Content.infMD5=333BA58FCE326DEA1E4A9DE67475AA95,SHA256=66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097falsetrue 23542300x80000000000000007553713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE3.tmp\Content.infMD5=4EC6724CBBA516CF202A6BD17226D02C,SHA256=18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402falsetrue 11241100x80000000000000007553712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE9.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE8.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEA.tmp\Content.inf2021-09-10 17:10:18.161 23542300x80000000000000007553709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE6.tmp\Content.infMD5=2F7A8FE4E5046175500AFFA228F99576,SHA256=1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363falsetrue 11241100x80000000000000007553708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE7.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEF.tmp\iso690nmerical.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEE.tmp\iso690.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAED.tmp\chicago.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEB.tmp\gosttitle.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEC.tmp\ieee2006officeonline.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEF.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE5.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEA.tmp\APASixthEditionOfficeOnline.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEE.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE4.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE3.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE9.tmp\sist02.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE6.tmp\Content.inf2021-09-10 17:10:18.161 11241100x80000000000000007553694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE8.tmp\gb.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAED.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEC.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEF.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEB.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE7.tmp\turabian.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEE.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE6.tmp\Text Sidebar (Annual Report Red and Black design).docx2021-09-10 17:10:18.161 11241100x80000000000000007553686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE5.tmp\gostname.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEC.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAED.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEA.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE9.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE4.tmp\mlaseventheditionofficeonline.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE3.tmp\harvardanglia2008officeonline.xsl2021-09-10 17:10:18.161 11241100x80000000000000007553679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEB.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE8.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE7.tmp2021-09-10 17:10:18.161 734700x80000000000000007553676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9trueMicrosoft WindowsValid 11241100x80000000000000007553675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE6.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE5.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAEA.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE9.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE8.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE7.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE6.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE5.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE4.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE3.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE4.tmp2021-09-10 17:10:18.161 11241100x80000000000000007553664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.161{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\TCDFAE3.tmp2021-09-10 17:10:18.161 734700x80000000000000007553663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.145{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124trueMicrosoft WindowsValid 11241100x80000000000000007553662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.142{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC3.tmp2021-09-10 17:10:18.142 11241100x80000000000000007553661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.142{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC1.tmp2021-09-10 17:10:18.142 11241100x80000000000000007553660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.142{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAC2.tmp2021-09-10 17:10:18.142 11241100x80000000000000007553659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.141{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAB0.tmp2021-09-10 17:10:18.141 11241100x80000000000000007553658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAF.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAE.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAD.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAC.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAB.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAAA.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA9.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA8.tmp2021-09-10 17:10:18.124 11241100x80000000000000007553650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.124{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\cabFAA7.tmp2021-09-10 17:10:18.124 13241300x80000000000000007553649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033\LastUpdateBinary Data 13241300x80000000000000007553648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033\NextUpdateBinary Data 13241300x80000000000000007553647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033\LastUpdateBinary Data 13241300x80000000000000007553646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033\NextUpdateBinary Data 734700x80000000000000007553645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.061{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBEtrueMicrosoft WindowsValid 12241200x80000000000000007553644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.061{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007553643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PointsBinary Data 13241300x80000000000000007553642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007553641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\TypeDWORD (0x00000000) 12241200x80000000000000007553640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007553639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xbabbb8db) 12241200x80000000000000007553638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007553637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.045{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007553636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007553635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007553634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000007553633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x80000000000000007553632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2468fa59.TMPMD5=8D14DFD013FF8EFCBCF084D63393223F,SHA256=A990E5C4F50B1DBF5BE75B811C9D5B055B0BA48CE7E632FB2CC7C12D1E116A88falsetrue 11241100x80000000000000007553631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2468fa59.TMP2021-09-10 17:10:18.045 254200x80000000000000007553630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXNLYEXFCUSORYELJZC9.temp2021-09-08 15:20:54.5192021-09-10 17:10:18.045 11241100x80000000000000007553629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.045{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXNLYEXFCUSORYELJZC9.temp2021-09-10 17:10:18.045 734700x80000000000000007553628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL15.0.4420.0Microsoft Office componentMicrosoft Office Template and Media ControlMicrosoft Corporationieawsdc.dllMD5=CCB14AFAE0E5FD30FEC7A6A462A8A0E3,SHA256=5BCF5E64480611BFE91CE3D7A4719CC90DA07F392F2F3839E4C5D8356461255EtrueMicrosoft CorporationValid 12241200x80000000000000007553627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.043{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007553604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007553603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:18.024{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007553602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851226[A:TM02851226][F:turabian][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851226.cab][G:][L:3] 13241300x80000000000000007553601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033\TM02835233[A:TM02835233][F:Text Sidebar (Annual Report Red and Black design)][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02835233.cab][G:][L:3] 13241300x80000000000000007553600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851227[A:TM02851227][F:sist02][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851227.cab][G:][L:3] 13241300x80000000000000007553599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851225[A:TM02851225][F:mlaseventheditionofficeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab][G:][L:3] 13241300x80000000000000007553598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851224[A:TM02851224][F:iso690nmerical][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851224.cab][G:][L:3] 13241300x80000000000000007553597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007553596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.024{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851223[A:TM02851223][F:iso690][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851223.cab][G:][L:3] 13241300x80000000000000007553595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851222[A:TM02851222][F:ieee2006officeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab][G:][L:3] 13241300x80000000000000007553594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851221[A:TM02851221][F:harvardanglia2008officeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab][G:][L:3] 13241300x80000000000000007553593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851220[A:TM02851220][F:gosttitle][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851220.cab][G:][L:3] 13241300x80000000000000007553592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851219[A:TM02851219][F:gostname][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851219.cab][G:][L:3] 13241300x80000000000000007553591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851218[A:TM02851218][F:gb][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab][G:][L:3] 13241300x80000000000000007553590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851217[A:TM02851217][F:chicago][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab][G:][L:3] 13241300x80000000000000007553589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033\TM02851216[A:TM02851216][F:apasixtheditionofficeonline][M:1/30/2007 00:00:00 AM][U:https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851216.cab][G:][L:3] 13241300x80000000000000007553588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:18.008{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007553587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:17.992{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007553586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PointsBinary Data 13241300x80000000000000007553585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007553584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\TypeDWORD (0x00000000) 12241200x80000000000000007553583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007553582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007553581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xbab3a579) 12241200x80000000000000007553580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:17.992{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007553579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007553578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007553577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000007553576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x80000000000000007553575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:17.992{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2468fa2a.TMPMD5=4F0D3B7BEF1093CAB9F0FDB02737D4BA,SHA256=B8696E79C3338855028CA6B6697F0BADD15B40278C36605A9F43C7AB59E1D68Cfalsetrue 354300x80000000000000002131893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:09.836{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62380-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:18.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDB47DFF74C3DF42CE052389B1DB979,SHA256=992751D7AFAF8336BD74A8AA2201F6F18D7304B3D2897F6BB3BAA2367B787DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:18.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C89EC93F9F0CD37896344126AAB75D,SHA256=A55BDE854F6A885882F4026CCC76E9D07A79B90C4F49D183ABE85EA13FBDF340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:18.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E34F7CF5F37A4F3EA233D35907D2E828,SHA256=72C15429D5D3969BA2A5D06AEEF97A8101AEAF9BE551880650F1BB76B470C0BA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007553791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.798{4DF467A6-915E-613B-8222-01000000F001}5676metadata.templates.cdn.office.net0type: 5 templatesmetadata.office.net;type: 5 templatesmetadata.office.net.edgekey.net;type: 5 e26769.b.akamaiedge.net;::ffff:23.53.34.10;::ffff:23.53.34.17;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x80000000000000007553790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.780{4DF467A6-915E-613B-8222-01000000F001}5676cdn.uci.officeapps.live.com0type: 5 cdn.uci.officeapps.live.com.edgekey.net;type: 5 e1324.d.akamaiedge.net;::ffff:23.192.208.44;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000007553789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:19.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:19.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7867DD7C2676C6272FBA92A52631887,SHA256=D9C3874420CD7EA6C2ABB35CB667AF7CEC1DFBC2F1FA543B5F334D222E50AF62falsetrue 11241100x80000000000000007553787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:19.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:19.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D94CC0E9A886B467CD3211424437DAF3,SHA256=CD47162703596B59F9AF309F55530BD06EF92C49AB6FC32865AC80184C7422D8falsetrue 354300x80000000000000007553785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.957{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56849-false23.209.116.42-443https 354300x80000000000000007553784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.957{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56851-false23.209.116.42-443https 354300x80000000000000007553783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.957{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56856-false23.209.116.42-443https 354300x80000000000000007553782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56848-false23.209.116.42-443https 354300x80000000000000007553781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56846-false23.209.116.42-443https 354300x80000000000000007553780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56853-false23.209.116.42-443https 354300x80000000000000007553779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56854-false23.209.116.42-443https 354300x80000000000000007553778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56850-false23.209.116.42-443https 354300x80000000000000007553777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.956{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56855-false23.209.116.42-443https 354300x80000000000000007553776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.955{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56844-false23.209.116.42-443https 354300x80000000000000007553775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.955{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56845-false23.209.116.42-443https 354300x80000000000000007553774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.955{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56852-false23.209.116.42-443https 354300x80000000000000007553773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.955{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56847-false23.209.116.42-443https 354300x80000000000000007553772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.937{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61352- 354300x80000000000000007553771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.831{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56843-false23.53.34.10-443https 354300x80000000000000007553770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.811{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56842-false23.192.208.44a23-192-208-44.deploy.static.akamaitechnologies.com443https 354300x80000000000000007553769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.794{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51431- 354300x80000000000000007553768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.793{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60236- 23542300x80000000000000002131907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.318{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A1726937726AAFFFA03F7C35C9FD6B,SHA256=7FB767DDB33FB2012C2ADAF0FA644B754F6B36AEDC63BC6D1C2629A2C49A9C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-917B-613B-A61B-01000000F101}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-917B-613B-A61B-01000000F101}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.287{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-917B-613B-A61B-01000000F101}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:19.272{AEE49BD1-917B-613B-A61B-01000000F101}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007553796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:20.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:20.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DAFE1D424E4AA2048F95B326264EB7,SHA256=F5BB79AB3C49DA3BB237D40A1787C20A2D564D31DC24F072C7E4E53CF04B9BBCfalsetrue 354300x80000000000000007553794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:01.129{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56857-false10.0.1.12-8000- 11241100x80000000000000007553793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE2971E035ACE2D909C7897F7FA3FA9,SHA256=06C2AE59A634E543FC70B0677A89EF91BDD4781975DAB51692B01310A16391DFfalsetrue 23542300x80000000000000002131909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:20.504{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C89EC93F9F0CD37896344126AAB75D,SHA256=A55BDE854F6A885882F4026CCC76E9D07A79B90C4F49D183ABE85EA13FBDF340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:20.319{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68DD5E69536C237A6C7CAA2293261A6,SHA256=BE4FA0191FD9A7254EF1F35CB8D7DB21BC51EDC21E6491C5D20EDC9166FB34AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:21.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:21.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56A5E793F5F32820FE610ABB1EAF354,SHA256=BD03C101987CC8F9CE58B21F1CE2B644307C599717C97400B60CFD1F7C37719Bfalsetrue 354300x80000000000000007553800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:02.028{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57602- 22542200x80000000000000007553799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:02.030{4DF467A6-3F58-6132-2B00-00000000F001}294842.116.209.23.in-addr.arpa.0type: 12 a23-209-116-42.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 22542200x80000000000000007553798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:02.020{4DF467A6-3F58-6132-2B00-00000000F001}294810.34.53.23.in-addr.arpa.0type: 12 a23-53-34-10.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 22542200x80000000000000007553797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:00.924{4DF467A6-915E-613B-8222-01000000F001}5676binaries.templates.cdn.office.net0type: 5 binaries.templates.cdn.office.net.edgesuite.net;type: 5 a1847.dscg2.akamai.net;::ffff:23.209.116.42;::ffff:23.209.116.11;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x80000000000000002131910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:21.336{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B2606D25BF866A26EF5EA9331D4A94,SHA256=0F06B40CBC67A99E0EDCF0C7EF541A78D6F25C9307177BD6EF0110901C79AB98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:22.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:22.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECE61831E35759FF25E067B830376D0,SHA256=5A59F3675B8BC17244FCC3608197097704BF4354AB21711A15617EFD4118017Efalsetrue 11241100x80000000000000007553804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:22.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:22.086{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D67815A3A5EB515368B25F1048111860,SHA256=BC704B522E7DF8AD3100B77F7E7E8E1B42946A5B00F6ECE9F915B4FBBEF73660falsetrue 23542300x80000000000000002131911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:22.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141073082A5A5695E326A9A3B5E5DCF4,SHA256=DE67B6FE44665F630DB1E3854C2822AA813CC08DD9940F701988B988C6B7ED82,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:23.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:23.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F9B3EBF13A9B8A93487D0392735AFB,SHA256=B7C6F12835E63569ABC70861450BD8AB857F983FF4732C5BF3A6F1A8C9B4F3E7falsetrue 23542300x80000000000000002131912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:23.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D8237A7915CA6225FB02C5F6BE7734,SHA256=99EC8984F3ABC49C670B1DFE238CDECF77E9C6ABF19646D325C0913A58C05D1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F5A5C56E1B6C44CC61970AD9CDB008,SHA256=AD21F21AF17F3F7B3C15210C2FC0BCADB96A82163D102498ECB6F453D99F3D12falsetrue 11241100x80000000000000007553816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.698{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.dat2016-09-12 11:33:54.437 23542300x80000000000000007553815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.698{4DF467A6-9162-613B-8422-01000000F001}6392NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=AD2CDF70D71B575C555616D505ABAB88,SHA256=80827CD2387C275F03430885410B2F5CCC087483BAC059305C136DC1D3392210falsetrue 11241100x80000000000000007553814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB24D47DAEB094D0649D8166363AF714,SHA256=AEF4D55CCA84EFD420A05986345F049ADA1FE65CFFB3BBF39C1A065DEBC9EA80falsetrue 11241100x80000000000000007553812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2990F345F7E2D0AE781D5A97C663F93A,SHA256=73825601242720D328975E28E30690468B3824B114E34C46D52789C2C3FFE9B8falsetrue 11241100x80000000000000007553810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:24.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FED65593DC7CCC124CCC0F494D0946,SHA256=6A59A48427216026895DD1CCAC7DCA4736E6C2DF80BC8927EE46DFDBEE864CDFfalsetrue 354300x80000000000000002131915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:15.797{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62381-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:24.379{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3032B7815DD1469CC96817E98F5FBD,SHA256=829B399E8F1EB46F1093AA9D74904B73446432F51012740AC8182E604DE2CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:24.059{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA0827F9933073379CFB7E7142B5C43,SHA256=BD9A65D719E9205ABE147C7376960C8F420D67F8574A63C2BF7142A5675C804F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.995{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA4802B0E1F998C140B87BD7E68B728,SHA256=7E9197C2467867AA85CCA0C4FB3662D63A25735496801211D56008D8DE763AD9falsetrue 11241100x80000000000000007553821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.833{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5CA526FADCF62A4499FAD5B708933D32,SHA256=978A1EB705FA1B70A104F8C2D7FE82E93D2A413931958C0F2F0B84970EBE1F9Afalsetrue 354300x80000000000000007553819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:07.035{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56858-false10.0.1.12-8000- 23542300x80000000000000002131916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:25.382{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1A0E065C3652BB365146445A7AF6AE,SHA256=31A294BD557E7E7DF8B39AAA45D654D26EE261777ACEA771DC070CF0906F23C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:26.384{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE647477E289FEAD614A87C0A279D43,SHA256=788CEE176F2B2DA065008CD889C4DF8B479F96A76DA33EEF6F6954EF9F57ADBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1311B8EA2B126BA9E38955731044A73F,SHA256=0AC365BCF4574569CCEBF612936398DD79E3AF14FBB5D010DC8C875940AD1ADFfalsetrue 11241100x80000000000000007553827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B12ADF4FEBC02DDD3C8FB3602F8A91F0,SHA256=5AE8B8A277792D8D244616E5DB123E25A10F2846A8D3033D268102BC075115B3falsetrue 11241100x80000000000000007553825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD47A8F7D0A0242D92479DD2A9A0B0A,SHA256=CAE73D79CC5E9A89CFA46165B1FC431DEF6A983CCF3934236B9356819F5BBEB3falsetrue 23542300x80000000000000002131918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:27.386{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62047705C84C4F08477A738E775C624F,SHA256=910202A71C99E047B8D62A7E672E947B807E08E6346DCDB1C51078026DF547B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002131922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:28.919{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:28.919{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:28.919{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002131919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:28.387{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5093F007E3A633AE6DF9B43887079D10,SHA256=C1989F7E04CEFF59C1077BE6A6EE4FBA8D527036A775ED3531F86E3EEEFEA596,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:28.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:28.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EAB809E68E8317EDAB02F87E139A58,SHA256=3B0EAE7AED4A2853524E11A497A81B3AC5CF7755E93A160ADE2B7BD6EB3A0418falsetrue 354300x80000000000000002131926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:20.938{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62382-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:29.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CBF195CB1B0623429AEF8AF04E0D84,SHA256=77BD6907DB2052E1791CFCC6F3E0358CBD558683B6F1575F7B0CE2EC33060102,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF57BF7A40DE532B33FD6C1CD23A2FB,SHA256=10C20EFAD9314297FA14E27BACB23D00D49AB7955C9D156456CB7029B395606Ffalsetrue 11241100x80000000000000007553833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2990F345F7E2D0AE781D5A97C663F93A,SHA256=73825601242720D328975E28E30690468B3824B114E34C46D52789C2C3FFE9B8falsetrue 23542300x80000000000000002131924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:29.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5771E4620602A26120AFC4F2BCEFB81,SHA256=6E9971240401ED6EC29D82D9FBD65C56943075DC83BA18B228B3C895F87444F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:29.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02394BD7B4B22A1661DDC57071C9604D,SHA256=A45F4B58419B071AC2EB52F76EE74D7CAD986438971FEA7E14E90E02A3F380C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:30.406{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB83EE497683EC541155F2C96BFB541,SHA256=1F1FFA46B9D512C78534ECEEC81BBA8B048F807527B833679973D72EDE5A90C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11346873745D4B09DED29AB36A8B4BC8,SHA256=90486E70871BBF83EEB0447F45244B84AB65D1BABC93B9F96A66B78D99AFFA8Ffalsetrue 23542300x80000000000000007553840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.622{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9927MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007553839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.621{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99272021-09-10 17:10:30.621 11241100x80000000000000007553838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.619{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99282021-09-10 17:10:30.619 11241100x80000000000000007553837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:30.204{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB4D002E2B02330AC73F5B3A2B5C335,SHA256=BE134FD99F237D4FF88101814E21EC0F74E56A09694AB428E99596C86899E937falsetrue 11241100x80000000000000007553852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1626250FB1111126A79F3DB289ED9F9,SHA256=F851650EFE1399E57688395ECDAB7EB159602B8C60571E7B6CF1F86E3CBBA9ABfalsetrue 11241100x80000000000000007553850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007553849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53B9CAC312A0BF14519D65422D1B6693,SHA256=B582A239E9B26692418FDFE67D759BB332CE569583968D7E49CEA2E96F49E73Ffalsetrue 23542300x80000000000000007553848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.620{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9928MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x80000000000000007553847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:12.957{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56859-false10.0.1.12-8000- 11241100x80000000000000007553846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A1B55AFB7EEF620F5A89D12BE4CAE1,SHA256=C4380FAB6209FF8611BB60EBF2C5205E0977FE4D6658FBCD186292835C0085B3falsetrue 23542300x80000000000000002131929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:31.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF73274926DAB4B291F5BA26EFF913F,SHA256=C2C140A6628AB2BDCF94E73F65AFDDC1582FD5432FBFCEB625FDF203DBEB9088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:31.139{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC75579E6BE9C5D791B881D93FE71204,SHA256=407901E5A401B4421D7DD375B863E2409F4338B9323C47D9921FAA9013143AD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007553843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:31.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F3F7873610D296178D3B65D559B1936,SHA256=A62B31CA67D7532C0169C4C96DA3E6186FFB972F95886A98AF3FBF4329DF96F9falsetrue 23542300x80000000000000002131930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:32.411{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A480A168B36336B47C930EA25F90665C,SHA256=B6D4F9EFF88A4D4BF2B95CD4D9804F2DD2BF90F08CCE8D8015A4F4392C9F9A97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:32.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:32.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62C4B64F96F91D0B7CC6E8CC4B11944,SHA256=F5DC8AFEEB3556DFF812B02DA60359BBC9AF7E441FF54A1CFA9920AB106909FAfalsetrue 11241100x80000000000000007553856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:33.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:33.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078614144ACA8C203674742D48D799CB,SHA256=BDF63183960330379A8EEC1500E371AD0A53A51C885AAB68B1B1AEE7706CDCAAfalsetrue 23542300x80000000000000002131931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:33.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AC0111E78E361F25C895067AF99540,SHA256=9DFEEEA663AC98605E758F203CB7E4E91B8F052E1D2416267EE88D1984C56DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:26.016{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62383-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:34.413{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4628FDC91E572F3BB68E1C31EE3FF345,SHA256=CA3A0692D6AF6C698DFAD640EC2E8B06924B73AEC97C50C61F07EF562C7C2287,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007553858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:34.283{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:34.283{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B240B0527DB5AB36034DF38AB996680,SHA256=9C08D3201C2AD2E8371B5D5219A5B19B2C526971A8628203CE89A6373372A92Cfalsetrue 23542300x80000000000000002131933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:34.298{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21649E7449BBD7B4790A733D42B036FF,SHA256=91AE81CE4915FDA574FBE6B3664160CCBE62FCE1954C1D13A52592A5D7AB203F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:34.298{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5771E4620602A26120AFC4F2BCEFB81,SHA256=6E9971240401ED6EC29D82D9FBD65C56943075DC83BA18B228B3C895F87444F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:35.416{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5868B3E60A0DC055984375564693B157,SHA256=2DB8D354714BA3E2CFB979CED526D5145BEBA6CD72EAA5DC9108A8486A19916F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007554093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007554091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.864{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 12241200x80000000000000007554090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.880{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.864{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 12241200x80000000000000007554067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.864{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.864{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.864{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\certca.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Microsoft® Active Directory Certificate Services CAMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCaMD5=8F23364460E12C9A157F88B9B4A86F2E,SHA256=51B5550668D6420C5DA988FEF83564DD9B4E911866EF4FC80748C8B219789F23trueMicrosoft WindowsValid 734700x80000000000000007554064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.864{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\CertEnroll.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Active Directory Certificate Services Enrollment ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationCertEnrollMD5=20ADB479CDAFBDFB60D8D6E0AD7D6588,SHA256=C1C86EE623A9BCA85CE4D6AD7DA9F75C18E62DA2341219FCF45A73FD0CF5123BtrueMicrosoft WindowsValid 11241100x80000000000000007554063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96F1C2080619A7FD5ECADD08CF8426F7,SHA256=0967AB8ED7BD3FBE13A6793D4A8E99AD510E350A474BE0F3B48950F5A7E24A6Bfalsetrue 11241100x80000000000000007554061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A3C1DCA90A8E2B14E6894166B815E4,SHA256=2BCC1FD60912E96D287EA8AAEC3A59337E35252DF898AFDC01810DFF42EC2724falsetrue 734700x80000000000000007554059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.714{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743trueMicrosoft WindowsValid 12241200x80000000000000007554058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.765{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007554031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.696{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DCtrueMicrosoft WindowsValid 12241200x80000000000000007554030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007554003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.696{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.HostName.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking.HostName DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.HostName.dllMD5=8DF028D66876592B54CEF5631E727C2E,SHA256=C16C85F3D505EDE6F2566DF7140171F5AB4A71DDDEEDC653D846D3954AA8E99AtrueMicrosoft WindowsValid 12241200x80000000000000007554002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.749{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007553978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.696{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.dllMD5=79801C7A91F51A659B0BBA4E80FFFA6B,SHA256=A261D0F4572FAE532461712C90129E14682B09FA651742DBD856F28430586CA7trueMicrosoft WindowsValid 12241200x80000000000000007553977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.733{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007553951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007553950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.649{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL10.0.17763.1 (WinBuild.160101.0800)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationDBGHELP.DLLMD5=3AD4BA5FD42E006E38D60AC93FD882E1,SHA256=502593C125B3DCF31D4565FCA6CF49E75233E1D6F3A7DEF2E2E2431E2501D349trueMicrosoft CorporationValid 12241200x80000000000000007553949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007553926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.633{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\v8jsi.dll0.63.1.8_5_210_20React Native V8 JSI AdapterReact Native V8 JSI AdapterMicrosoftv8jsi.dllMD5=A0BC9DBA90FC6D10B7618702FB67EC58,SHA256=2A6EBAA66D27F565E4008619D680DF1F2F13E77C2155F658B29F841B9D49AE51trueMicrosoft CorporationValid 12241200x80000000000000007553925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.718{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.717{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007553902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.712{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1FtrueMicrosoft WindowsValid 13241300x80000000000000007553901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:35.680{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\ClickToRun\Updates\UpdatesDiscoveryPeriodStartTime13275767435680 734700x80000000000000007553900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.649{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 734700x80000000000000007553899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.633{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 12241200x80000000000000007553898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.633{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007553897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007553896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=935A729C975744EDAC10A831E1910D07,SHA256=EC17B9BB8ABBC9EB9FB2BBA92D9D2B70458BC8A1F98B7EA1F9FC744E0FC950B1falsetrue 734700x80000000000000007553895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.534{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll0.62.22React-Native-WindowsReact-Native-WindowsMicrosoftreact-native-win32.dllMD5=398277435FAC13143749320A60428DC8,SHA256=0576D3C166CF04F52BA9913A75FF14D77AF755D5285D7E7D64550BA432DBA932trueMicrosoft CorporationValid 12241200x80000000000000007553894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007553893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007553892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007553891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007553889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007553875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007553874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007553873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007553872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.580{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007553871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007553870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=935A729C975744EDAC10A831E1910D07,SHA256=EC17B9BB8ABBC9EB9FB2BBA92D9D2B70458BC8A1F98B7EA1F9FC744E0FC950B1falsetrue 11241100x80000000000000007553869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007553868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=61DDA2874822CA99D1FCB0B885B31B09,SHA256=478D724293F4607DBD17627D8016404953825ACE33E57CC54923001014220289falsetrue 12241200x80000000000000007553867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.534{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007553866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:35.534{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B05E2\VirtualDesktopBinary Data 12241200x80000000000000007553865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:35.534{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B05E2 10341000x80000000000000007553864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.465{4DF467A6-915E-613B-8222-01000000F001}56766140C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007553863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:35.449{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007553862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:35.449{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007553861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.449{4DF467A6-3EE5-613A-21FA-00000000F001}24286828C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007553860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007553859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.297{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3320F846B2D56AFFBBBAE44C72BF033,SHA256=38853D7A59949A9E4813639BF916B073A1F0D08C8E546286B48A462AB83EA02Dfalsetrue 23542300x80000000000000002131937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:36.418{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044DEA7232FE8404E1AFCB2F8B8BA276,SHA256=050CC94BD10462209F3C6D9128F4E78F68BF7DA81C1C84896B9E456AB0C92BE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007554247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3850C8649DA572D4AFB27F6691E4E0EF,SHA256=1E579513C7E8FD3A0570D4A72269C58866AEE5712AEB947D9EA696B352704941falsetrue 12241200x80000000000000007554245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007554243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.931{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL16.0.55555.10000Microsoft ENGLISH Natural Language Server Data and CodeNatural Language ComponentsMicrosoft Corporationcss7Data0009.dllMD5=7E61F72C2CC4AAC44084734CCD4B93CB,SHA256=2933C7FD5143F453C4C085BC7023CB5BC88DC73B5FDE60171930393C645215D8trueMicrosoft CorporationValid 12241200x80000000000000007554242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.931{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\mscss7en.dll16.0.55555.10000Natural Language Development Platform 7 - PRMNatural Language ComponentsMicrosoft Corporationmscss7en.dllMD5=9605B976D5B190DCA0A6A6F3D2ECAF2B,SHA256=AA7527AAAC1DAAE1D97EF0D1BE5CEA412C0653DD5AB0B9B631BD3F569EC7B56EtrueMicrosoft CorporationValid 12241200x80000000000000007554216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007554196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.931{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex2021-09-10 17:10:36.931 12241200x80000000000000007554195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.931{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007554193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.916{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msspell7.dll16.0.55555.10000Natural Language Spelling ServiceNatural Language ComponentsMicrosoft Corporationmsspell7.dllMD5=7685BFAE020B898D319F2670D9E93CCB,SHA256=F4D8041B630477B282ECB822E5B7494DBBA67DCE1AC8F4CA293203E4410DD9DFtrueMicrosoft CorporationValid 12241200x80000000000000007554192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007554175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.916{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0031) 12241200x80000000000000007554174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.911{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll16.0.55555.10000Grammar Proofing ServiceMicrosoft OfficeMicrosoft CorporationMSGrammar8.dllMD5=226E8BFDAE2E5157512CD97901C4B3A2,SHA256=D77B275C0502165DA334F8316B2406A2F0E8180CA1D62B774D53BBC6543EED4DtrueMicrosoft CorporationValid 12241200x80000000000000007554163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.916{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000007554144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.915{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0030) 12241200x80000000000000007554143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.912{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007554142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.894{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a002f) 13241300x80000000000000007554141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.894{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a002e) 12241200x80000000000000007554140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Spelling 734700x80000000000000007554139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 734700x80000000000000007554138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.878{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 734700x80000000000000007554137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.878{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 734700x80000000000000007554136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 13241300x80000000000000007554135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007554134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007554133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007554132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 12241200x80000000000000007554131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 13241300x80000000000000007554130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:36.878{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 734700x80000000000000007554129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.863{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msproof7.dll16.0.55555.10000Proofing ServicesNatural Language ComponentsMicrosoft CorporationMSProof7.dllMD5=0B5AE10DC8D082C28CD1F7C66DBF6063,SHA256=53075E69BF554B0560B3E0B5E726B4F34326DBD0967EE29DC84E1AF8778A51B8trueMicrosoft CorporationValid 12241200x80000000000000007554128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:36.863{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000007554104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E5173F93ECB156CBA7755F3B73057A4,SHA256=711CFFF86CAB71D301230B04836D83291E34FC62DAB6248956F91F860F5617C3falsetrue 11241100x80000000000000007554102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3DEC45EF3F03123C33C585AA364E7D3,SHA256=710387592BBE7CCDBF7D13E73E3D51211CCDF8233FA6918240A9B130B501E065falsetrue 354300x80000000000000007554100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.064{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56860-false10.0.1.12-8000- 11241100x80000000000000007554099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.414{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79809A898B3F5127232B7C688DCCE28,SHA256=E02430591FC29D7E8F405631CCBC8C36AE41BF3C2C9408AB9F70DD80AA75B70Cfalsetrue 11241100x80000000000000007554097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007554096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D7C197D5324EF11817C1A0F2F64A18,SHA256=302928079DC899A8E0FE4CCB719C6BE7101C037451F91DAF1C3136F3D204415Dfalsetrue 11241100x80000000000000007554095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007554094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1B8F05E53C50E41BA5396281B13086D,SHA256=E7E3C1B940E4FC10213347D3520499AE550BA9B8DE91F65AFE6D25A38A0787C3falsetrue 354300x80000000000000007554252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.674{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56862-false131.253.33.203a-0003.dc-msedge.net80http 354300x80000000000000007554251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.608{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56861-false52.111.245.5-443https 354300x80000000000000007554250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.583{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60212- 11241100x80000000000000007554249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:37.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:37.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE94A8BFFDC97CCE0062810347ED16A3,SHA256=37BBF3279777F891993EFC9C8FBD563153470BBD72CA27D547D4BCA80342A24Efalsetrue 23542300x80000000000000002131938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:37.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231BFBC4B7D3A91E7EADC4EA89E7DDAF,SHA256=F8D576CA70B78E5E3CDA945E5238EC2555C6286E7A2B75BEA3970A2285978A57,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007554258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.637{4DF467A6-915E-613B-8222-01000000F001}5676oneocsp.microsoft.com0type: 5 oneocsp-microsoft-com.a-0003.a-msedge.net;type: 5 icePrime.a-0003.dc-msedge.net;type: 5 a-0003.dc-msedge.net;::ffff:131.253.33.203;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x80000000000000007554257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:18.562{4DF467A6-915E-613B-8222-01000000F001}5676augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-001.westus.cloudapp.azure.com;::ffff:52.111.245.5;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000007554256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:38.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007554255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:38.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5D7C197D5324EF11817C1A0F2F64A18,SHA256=302928079DC899A8E0FE4CCB719C6BE7101C037451F91DAF1C3136F3D204415Dfalsetrue 11241100x80000000000000007554254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:38.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:38.445{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF0502F809DE1D5C408C6243AD9E2EA,SHA256=754C4282A630B5AB708FD811464B258696D794C48290822DFC91C9AED82D0D3Dfalsetrue 23542300x80000000000000002131939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:38.420{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AF55BC20825EF447C99B938A1BC68F,SHA256=E0B3785803015FE7F655AF5BC304B64A4A120EE35A41A79CC2C1B5B756BABD5A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007554261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:20.598{4DF467A6-3F58-6132-2B00-00000000F001}2948203.33.253.131.in-addr.arpa.0type: 12 a-0003.dc-msedge.net;C:\Windows\sysmon64.exe 11241100x80000000000000007554260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:39.490{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02447BC47C662A3162EE9997EC184CD8,SHA256=5B3777A901BFD68F66B8D9B3AF3621D5C68A5883FE8A92F1B26FD84617528C1Cfalsetrue 23542300x80000000000000002131940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:39.423{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07027FFBDD603BA32A573BC3955837D7,SHA256=006192825059D64A624503914427759610CB6FD2CE47F8904ED8F4C0CD806492,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002131944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:31.972{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62384-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002131943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:40.424{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D523790DFD03E60454E2F1D6A8EF7C64,SHA256=D9CB09ABDAC8716B5B7C9A419ABCE4DB57D2B4ADCC538575E161264C49A8913B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007554265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:40.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:40.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34FC9786B2A5435B9291E2EF3A655CA2,SHA256=6C37348594F3CC528D7AFF584B795601DB10BDFBF20F9091C485A03640331FC2falsetrue 11241100x80000000000000007554263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:40.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:40.526{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20EF181EBF1F5EA198DCD86E8B12A20,SHA256=4726BFDBB95F5121AC378CD2355A6FD5E10035367C91323D5034688FB5FB38E1falsetrue 23542300x80000000000000002131942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:40.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7FD5649C4BDABA4C57FFFAB6B9411B,SHA256=0F6AEE9ABB80D4E233B1A427808E1A50D8F86B2E31A3B300FC0B345975AD7548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:40.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21649E7449BBD7B4790A733D42B036FF,SHA256=91AE81CE4915FDA574FBE6B3664160CCBE62FCE1954C1D13A52592A5D7AB203F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:41.426{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81231A5B0299481DEB562660B02CC22F,SHA256=C02A87509E197AC640975568E556D2A7B519752E72B425308FBFC4555926E8C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007554271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C254D6FBE715707CF46D235FBC580055,SHA256=BDF51EA7F0D7A2300B59BD48E2B964D74F8F84A1BC0F93D1B7EB13018C2753D4falsetrue 11241100x80000000000000007554269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007554268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3AD78294A1FEDB82E07ED55E34FED6A,SHA256=51A52A49D90FDB52E681099D7E6C347C50C1D3795EC9CC2B64857394FCCE24F6falsetrue 11241100x80000000000000007554267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20B82455D8E87B9892521EAF2E473CA,SHA256=362EBDCCCBFF43742F6E685CB90EA9E5057675FD5E152C3B74742BFC6F4413CAfalsetrue 23542300x80000000000000002131946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:42.428{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDA7447BAB8D83F38E872923DED1469,SHA256=B48B7B7238A9A95CCEA7F8EE787CA0C713C2CEF5F39076CE918D3CDEDF345F3E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007554283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:42.869{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007554282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:42.869{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x80000000000000007554281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:23.924{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56863-false10.0.1.12-8000- 11241100x80000000000000007554280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:42.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:42.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226672AEF4F3A68C6D993E8C5300AB8E,SHA256=C471332637BF0E9D7AE81FC593639DCB9E81A20ACBB9C30E2A0BB17F1CA98D15falsetrue 13241300x80000000000000007554278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:42.239{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007554277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:42.239{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007554276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:42.239{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007554275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:42.239{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007554274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:42.239{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 11241100x80000000000000007554273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:42.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007554272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:42.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1538DA00369E2E266F952F19F9F236,SHA256=9B80970283AAA9535CF86684A3B074BBA700ACE6307A712C1710696681DECCA6falsetrue 18141800x80000000000000007554293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:43.999{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:43.999{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007554291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:43.999{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:43.999{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007554289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:43.998{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:43.998{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007554287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:43.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007554286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:43.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDFBD89A4FD1D79CD4694ADDD63A50B9,SHA256=AAAB52C8834E0418A0FD00BF3767C977820CA59FFC705800A9BE15D5C3230E44falsetrue 11241100x80000000000000007554285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:43.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:43.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5347E402B463391EA1E2074FCB1F0CAC,SHA256=8FA016D9C777B2D5E8F3326BDD7A23787E4A6751E1F545BC38EB7D7015A1C76Efalsetrue 23542300x80000000000000002131947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:43.430{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BF56B14C833AEFC2F1AE7E32A6F967,SHA256=6AD10996779661EEC0F0619595B008D4744002A74F72D7A1B2263B4E66B93BF4,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007555021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.934{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007555020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.934{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007555019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.919{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.919{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007555017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007555012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 12241200x80000000000000007555011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 12241200x80000000000000007554986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 23542300x80000000000000002131948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:44.432{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCE437F61D7A088C2A94F0613DDFCEB,SHA256=3B1AC987873466DC1870C8491D515A1029F6AAF45CF5FA07D8CAFFE50EA7BC6A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007554985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 12241200x80000000000000007554961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.881{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007554941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007554940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007554939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007554938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007554937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007554936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007554935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007554934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007554933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.803{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007554932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.801{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007554931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.800{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007554930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.800{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007554929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.800{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007554928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007554927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007554926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007554925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007554924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007554923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.799{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007554922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007554921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007554920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007554919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007554918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007554917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007554916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007554915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.798{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007554914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.797{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007554913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.797{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007554912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.797{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007554911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.797{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007554910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.797{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007554909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007554908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007554907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007554906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007554905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007554904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007554903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007554902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007554901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007554900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007554899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007554898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.781{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007554896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007554895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.781{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007554894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.656{4DF467A6-9194-613B-8622-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007554893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.737{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56864-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007554892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:25.737{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56864-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 18141800x80000000000000007554891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007554889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007554887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.650{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 18141800x80000000000000007554886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007554885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:44.650{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007554884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.650{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E4775A8DAC9D2DC0233F9F5AC0719A,SHA256=8EFFBA6E7B08653591D0ECF72E9975FEB567CE6738CF689CDA5B239FF588FF4Afalsetrue 11241100x80000000000000007554883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E7D12ED5BE2FC2B19FB83236AB03BC,SHA256=84A086F5EEA0EE58178F29441A9D38A7E579145CCD0FCC1A609C3634205EEC77falsetrue 11241100x80000000000000007554881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007554880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB817F4186DD331A020CEC5601EAD307,SHA256=EB7676DD60E9A57CEBC4940D138630C41D412C08C1D89876198093E039C67DE6falsetrue 12241200x80000000000000007554879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.304{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000007554873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.304{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 12241200x80000000000000007554853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.382{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007554825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 12241200x80000000000000007554824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.366{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 12241200x80000000000000007554798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000007554772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.351{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000007554748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000007554723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007554697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.335{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 12241200x80000000000000007554672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x80000000000000007554653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.304{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x80000000000000007554652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.304{4DF467A6-9193-613B-8522-01000000F001}78644092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007554651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.304{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007554650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007554643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000007554642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.304{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000007554618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000007554595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007554573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 12241200x80000000000000007554572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.282{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 12241200x80000000000000007554548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000007554519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 12241200x80000000000000007554518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.267{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 12241200x80000000000000007554491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 12241200x80000000000000007554467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 12241200x80000000000000007554441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.251{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007554421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 12241200x80000000000000007554420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007554391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 12241200x80000000000000007554390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000007554371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 12241200x80000000000000007554370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.235{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007554345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007554344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007554343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007554342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007554341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007554340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 12241200x80000000000000007554339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007554325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007554324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007554323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007554322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.220{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007554321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.167{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007554320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.167{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007554319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.167{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007554318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.167{4DF467A6-9193-613B-8522-01000000F001}7864\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007554317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.167{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007554316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007554315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007554314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007554313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007554312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007554311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.151{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000007554310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.135{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000007554309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 12241200x80000000000000007554308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.135{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\My 734700x80000000000000007554307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007554306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007554305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000007554304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:44.135{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007554303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007554302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007554301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007554300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007554299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007554298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007554297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007554296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007554295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:44.135{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007554294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:43.999{4DF467A6-9193-613B-8522-01000000F001}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007555113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.848{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34B95988C224E598E1418175A549B103,SHA256=7BB3420186EA971AF8ADE389314A9CE7BBD657F0501C93DCAB23EA47252F0FA3falsetrue 11241100x80000000000000007555111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075899DECD13C6502E05E39943657069,SHA256=083F28C9B4922A6082AF99718D88914F1EE790F01EE2EB6D5C2BAB42209FB7A8falsetrue 11241100x80000000000000007555109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363DD124E25DEB434D2DD572B9814314,SHA256=340294F5BD634E44D234B5FCA2DFCBE6FE7856CEEAF330D53B6890B0DA767FDAfalsetrue 23542300x80000000000000002131949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:45.432{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977CBFCEA2C18DDFB1014D31016ACAE7,SHA256=184AD0E8643A9EAA1D65DB294CE876C2E96A9E6A99AE457B8A57AFA5BBEED61A,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007555107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.602{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007555106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.602{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007555105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.602{4DF467A6-9195-613B-8722-01000000F001}35727936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.602{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.602{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007555102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 12241200x80000000000000007555099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.549{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.480{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007555077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.480{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007555076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.480{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007555075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:45.480{4DF467A6-9195-613B-8722-01000000F001}3572\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007555074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.480{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007555073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007555072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007555070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007555069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007555068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007555067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007555066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007555065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007555064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007555060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007555058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007555056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007555055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007555054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007555053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007555052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007555051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007555050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007555049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007555046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007555044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007555043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007555042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007555041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007555039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:45.465{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007555036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.465{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.450{4DF467A6-9195-613B-8722-01000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007555033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:45.449{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000007555027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:45.249{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007555026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:45.249{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x80000000000000007555025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C403653D45327EB72E73DD678A8C3A7,SHA256=31CBB33A6D558275017D59CF19710146515FD76C33F4E97823C76221F67216ABfalsetrue 11241100x80000000000000007555023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30D1C66A4D550396AF688E2E58068BA4,SHA256=3FEC74C945240BE0712112598E8DBBAAAE8D544AB3DE0A9892564ADF278432ACfalsetrue 23542300x80000000000000002131952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:46.434{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD527AA2CA9FE4F4A772E6BC97358A7,SHA256=40CF583A694B756B7C0B6B55DEF0688D66293D9F21C739BB7D75D72A603E6A45,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000007555204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.947{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007555198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:27.049{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56865-false72.21.91.29-80http 11241100x80000000000000007555197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.798{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007555196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.798{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000007555195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70D3D9126FFFAD9D54CFFB2A3D0BE23,SHA256=022C144CFF404F0C8721D300917A1656996177E8E7250CCE4A2F1D416CC234DEfalsetrue 534500x80000000000000007555193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.416{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007555192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.416{4DF467A6-9196-613B-8822-01000000F001}74924108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.416{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.416{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007555189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 12241200x80000000000000007555186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.348{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007555164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007555163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007555162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007555161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007555160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007555159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007555157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007555156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007555155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.279{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007555154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007555153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007555152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007555151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007555150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007555149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007555148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007555147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007555146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007555145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007555144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007555143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007555142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007555141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007555139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007555138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007555137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007555135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007555134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007555127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007555125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:46.263{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007555122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.263{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.133{4DF467A6-9196-613B-8822-01000000F001}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007555119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:46.132{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002131951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:46.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C976400D9639D0204D277D07F492D9E3,SHA256=0A606C0CE4B361C7A4FEA3587446889C421E172A4019FEF5F70C615237DF18B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:46.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7FD5649C4BDABA4C57FFFAB6B9411B,SHA256=0F6AEE9ABB80D4E233B1A427808E1A50D8F86B2E31A3B300FC0B345975AD7548,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007555403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 12241200x80000000000000007555400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.961{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007555378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007555377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007555376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007555375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007555374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007555373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007555371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.898{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007555370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.897{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007555369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.892{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007555368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007555367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007555366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007555365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007555363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007555360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007555357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007555356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007555355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007555354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007555353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007555352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007555351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007555350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007555349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007555347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007555344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007555343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007555342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007555341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007555339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.876{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007555336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.876{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.746{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007555333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9D5D7896A0C4432BED45DE516785E4E,SHA256=4EE6A19B92C336A2459E25D3A6CD42E2A583D47ED26C905A2FD1EDE22E24DBF7falsetrue 23542300x80000000000000002131954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:47.436{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D91D8C857324615E1BCD9D79B7D550,SHA256=F512D153C6D84A5CFE6D91DCD4574A06B90D9E057E08722AEF59AFFDD6B481B9,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000007555331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:47.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007555325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.499{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.499{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=082CE21BB570458ABE7E0FE551D67FA9,SHA256=E11A077E167D2E43A38F55BD56CB78024CFA8EDD0A6181FC1751FA9869440080falsetrue 11241100x80000000000000007555323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.498{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.498{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=AD1388B9ED185C1F5A8715286E14EB90,SHA256=EA1FBD70A6B0B50B78844922937038121472651BDB03D5FE3360FD8E9278F619falsetrue 11241100x80000000000000007555321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.497{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.497{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=DF986E164E8CD08F11F3CE66414770F0,SHA256=3AB158281386F77C2B914BE39AB39E50B302BDDF9283A2397CD159D3B223178Afalsetrue 11241100x80000000000000007555319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.496{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.496{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BAB8DEDDFBB8B84918D2D86AA733A19E,SHA256=03C84DF148F46746534A014BFCA7B8712B3FEA278CC4269AB4CAF8832FBA1972falsetrue 11241100x80000000000000007555317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.495{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.495{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=794584C15AF87EBF0728DE0797A0C798,SHA256=0FC52B94269C9666F06A787500205BC16FBAAFDCC2E5C54F195211DF025A0F5Efalsetrue 11241100x80000000000000007555315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.494{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007555314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.494{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=59D20AEAF3F37D9EE4FFCFF77B72AFE3,SHA256=D718B7DBAD2F2F9A9E4950B076E7D03B83EFF877303624365E585D406D7323D6falsetrue 534500x80000000000000007555313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.230{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007555312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.230{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007555311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.230{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.230{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007555309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED0B9662216DB212B5D8828001ACB41,SHA256=B706DA576ADD6860A7A513A61BB687EE4F754D5A5A0D6C872E3E9440F3832ADAfalsetrue 734700x80000000000000007555307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 12241200x80000000000000007555306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 354300x80000000000000002131953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:37.936{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62385-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x80000000000000007555294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 12241200x80000000000000007555277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.177{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000007555256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E67E8CB572DF4A7042AC67D80D23B1AA,SHA256=6C1A6A312C727E3EC48096B771921F4994FCA4FAEFEEA6CE69B1C8911AAEEE3Dfalsetrue 734700x80000000000000007555254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007555253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007555252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007555251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007555250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007555249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x80000000000000007555248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B22E4B45B51AC159514BAC2E7E69F57A,SHA256=A39696CE2AC934EFF4F4026D69CE985F2E8286C58CCC3C49E8437038E260D030falsetrue 734700x80000000000000007555246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007555244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007555243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.099{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007555242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000007555241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 23542300x80000000000000007555240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC355252A3FC539CFA6A7E399B00F97D,SHA256=A029B7DA6419BA1DB48C8E0610F6D05CE408494F1401CEFBC576489699C18EEBfalsetrue 734700x80000000000000007555239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007555238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007555237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007555236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007555235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007555232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007555231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007555228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007555226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007555225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007555224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007555223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007555222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007555221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007555220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007555219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007555215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007555214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007555213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007555211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.078{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007555208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:47.078{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.947{4DF467A6-9196-613B-8922-01000000F001}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 12241200x80000000000000007555205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:47.046{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 354300x80000000000000007555492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.646{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56867-false10.0.1.12-8089- 354300x80000000000000007555491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:29.047{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56866-false10.0.1.12-8000- 23542300x80000000000000002131955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:48.438{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2508648318FABD56C14A47EB2B27BB38,SHA256=53767530DD915938CE29E6CD2F172E18B31F47260621987BB4701F6FF39A1477,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007555490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.828{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007555489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.828{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007555488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.828{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.828{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 12241200x80000000000000007555486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 12241200x80000000000000007555483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.759{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007555461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007555460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007555459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007555458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007555457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007555456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007555455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007555454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.697{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007555453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.693{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.693{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007555451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007555450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007555449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007555448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007555447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007555446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007555445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007555444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007555443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007555442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007555441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007555439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007555438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007555435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007555434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007555433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007555432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007555431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007555428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007555424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007555422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:48.675{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000007555419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.675{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.545{4DF467A6-9198-613B-8B22-01000000F001}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007555416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007555412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007555411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:10:48.544{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007555410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.329{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.329{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6330CDEB243F6A8CA42E7E0A7133DB1,SHA256=5859288C740AA9004FDDA4C1938057671658B7AE5AFA064703AE7D1DB58F245Cfalsetrue 534500x80000000000000007555408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.029{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007555407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.029{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007555406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.029{4DF467A6-9197-613B-8A22-01000000F001}81565704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.014{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007555404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:48.014{4DF467A6-9197-613B-8A22-01000000F001}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007555500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.942{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D32F9157656B286C499C32212D5B5BA,SHA256=A591A9A1898E1115A027C272C66D72C2A30E8E5E8346B7B11D2551D9881D89F7falsetrue 23542300x80000000000000002131956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:49.441{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43371DC7A6F725432D48FB6ECFA00C11,SHA256=01CCCCF2711762C82C7A9DADCBEC0C43F9BAD90E242221DEB8803D1F00D5D3D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD430CEEF866D52D918DC296895614F,SHA256=DC4E860671308C038A606D7203ADB516548FF3E4CB322670EE78C589E9309BBFfalsetrue 11241100x80000000000000007555496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B107E83E92EC5A176438AE6B51376A,SHA256=4BEA1E3571CD3E7DB0DB07A259F8608B764E3048EF14BA71C7105B329778859Bfalsetrue 11241100x80000000000000007555494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:49.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB011E4D547E91FF45FE26D7CB8AC550,SHA256=8D46376D07CD4442C6AEF3D02BF1074621F012406D2D76529AADD2E8B230C8F5falsetrue 23542300x80000000000000002131957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:50.443{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA200A2E9731E6325DFECB72CF22D95,SHA256=DBD98E629D9619D2F20DF59ACFE4138CCAEF53EBA60C5AC657F877A3054A9F5A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007555505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:50.909{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 12241200x80000000000000007555504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:50.740{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 13241300x80000000000000007555503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:50.725{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007555502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:50.725{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\KnowledgeQWORD (0x00000000-0x00000007) 13241300x80000000000000007555501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:50.725{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\LastWriteBinary Data 23542300x80000000000000002131960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:51.444{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F1D7C68C67EB2D2B50A19F32E381A3,SHA256=117CD179595023CEE169AA849D0A9BC0EBEAE4792967DB958734DCC66AE9825E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.939{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C29A339A799DABBBC8AB78E116A4E5E,SHA256=DB24AA3EE9524DDA7F4DBC6FC0E7CBF01397D30FF5D4486C9D9011AE4A090FECfalsetrue 11241100x80000000000000007555513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D065A889DC303121EB889151242430DD,SHA256=531D551D22E5C35B4A5BD8960A06F18C28F9607F6A7BBC2D3E4741887F6922DEfalsetrue 11241100x80000000000000007555511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1851463A2D54EA4DEA0A4E60796ACCBD,SHA256=49305B85DE999F5CA27A11ECC8B6A69B9506AB47BB305F6DF47E7E325BEE8788falsetrue 11241100x80000000000000007555509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007555508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A2D1268742DA7AFC535AACF6646F04E,SHA256=BFD9B0DBF0FAFF799FD919EA5C78E6891845E862957FE767FA549B75D1B36FB5falsetrue 23542300x80000000000000007555506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA7E66AA732817FC5855C9C2D489EF6,SHA256=07C68F4709F64D698EE4CFC0459B853E65B8CAEC854981FC75261AEE1543C35Ffalsetrue 23542300x80000000000000002131959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:51.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B469FB5B1898E3AFD77F3D7F08694E,SHA256=3A94DD90B80D40E5373C4F2A0EEF67D0AF2C5065DB05D1AD834B23496EDB3058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:51.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C976400D9639D0204D277D07F492D9E3,SHA256=0A606C0CE4B361C7A4FEA3587446889C421E172A4019FEF5F70C615237DF18B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:52.446{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7AD5F644C2F6CF4FC93361F0833774,SHA256=3309A35AB310616B75273D5341DC92900C57DC4171CEF987166F66C355892EBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:52.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:52.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB99827B5BDBFC0ACC107CC70368314,SHA256=2AFE36F93CF00290C947895E0496D3E3CBC226D92B79E409AF887AC28EA6817Ffalsetrue 22542200x80000000000000007555518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:33.126{4DF467A6-915E-613B-8222-01000000F001}5676roaming.officeapps.live.com0type: 5 prod.roaming1.live.com.akadns.net;type: 5 us2.roaming1.live.com.akadns.net;::ffff:52.109.20.16;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 354300x80000000000000002131961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:43.015{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62386-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007555517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:33.202{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56868-false52.109.20.16-443https 354300x80000000000000007555516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:33.148{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49870- 11241100x80000000000000007555530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:53.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:53.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698CC6B644649CF2B51F8A4CE410C1B6,SHA256=D646A1A82171A84ABE48F59D0AE9186C45403C3FBD37D74B186055DDE1DA84F1falsetrue 23542300x80000000000000002131963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:53.448{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E14C751108DE261B99E3551B85B470,SHA256=1370F02A29BE870532EB1440BF4493C37CB099B5B6418B228FD3D15BA5CFB416,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:53.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:53.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71BA114DCCC84608DF97B054CC63605,SHA256=0E183B7533B78D668D48D32EEB7567F2412A80F21B7DD64561DED069B168BA00falsetrue 13241300x80000000000000007555526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTimeBinary Data 12241200x80000000000000007555525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate 12241200x80000000000000007555524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000007555523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000007555522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000007555521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:53.190{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 10341000x80000000000000002131977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-919E-613B-A71B-01000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-919E-613B-A71B-01000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.565{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-919E-613B-A71B-01000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.550{AEE49BD1-919E-613B-A71B-01000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.465{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D91F7EFA54960C3E96B8FD9D6CEFD07,SHA256=487E214A16D4D750DEB3E6506F04E7A1364D54364C85A6211FAD75EBE6ECC781,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007555539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007555538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007555537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:54.435{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007555533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:54.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:54.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70489A20D82801B4C6498531BFF8235,SHA256=BE0F3367B32C9D215C2221811D8782D15903E8EA7ECD64A71D8516ACE1DEB1C5falsetrue 354300x80000000000000007555531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:35.053{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56869-false10.0.1.12-8000- 10341000x80000000000000002132006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-919F-613B-A91B-01000000F101}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-919F-613B-A91B-01000000F101}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.951{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-919F-613B-A91B-01000000F101}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.935{AEE49BD1-919F-613B-A91B-01000000F101}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002131993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.666{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1DA138784DB727FBC0E80FCEC67347,SHA256=0DFAD7F76BC6AD69C69941CBD70EE9D22BCFFCBA103766CBDFE7D12EA06CDB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002131992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.666{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06B469FB5B1898E3AFD77F3D7F08694E,SHA256=3A94DD90B80D40E5373C4F2A0EEF67D0AF2C5065DB05D1AD834B23496EDB3058,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007555879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.733{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.733{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.717{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.717{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.717{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007555874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D80B35F9EEA44F4FA748C99C19951E,SHA256=3E667E43D96736BBF393F6409AB830DD1C9B5305A04E6FA581A1380B2BAF0938falsetrue 11241100x80000000000000007555872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D152A39774ACBFFD30F9A25DF86FEC0E,SHA256=728B8C47CACBEC614EAEC7CF94B3CA696BC924C1D6A60D89FA27662175F94965falsetrue 534500x80000000000000007555870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.402{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x80000000000000007555869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\12EFDD2B.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7falsetrue 11241100x80000000000000007555868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\12EFDD2B.wmf2021-09-10 17:10:55.386 11241100x80000000000000007555867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$PRD.docx2021-09-10 17:10:55.386 11241100x80000000000000007555866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F3DB09F8-8746-4FEF-A6AA-78558F8D8690}.tmp2021-09-10 17:10:55.386 11241100x80000000000000007555865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F323C2D3-F276-41BE-AB9B-3EE50201D2A0}.tmp2021-09-10 17:10:55.386 11241100x80000000000000007555864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{60DCF194-2F59-412A-94E5-DC96E79BB3E5}.tmp2021-09-10 17:10:55.386 11241100x80000000000000007555863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EF422903-E6A5-4F39-BFCC-F750C0C8FBFE}.tmp2021-09-10 17:10:55.386 13241300x80000000000000007555862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\9(!Binary Data 12241200x80000000000000007555861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.386{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 13241300x80000000000000007555860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.384{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007555859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.384{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x80000000000000007555858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.384{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 10341000x80000000000000007555857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.384{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007555856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.384{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002131991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.397{AEE49BD1-919F-613B-A81B-01000000F101}34324368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-919F-613B-A81B-01000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-919F-613B-A81B-01000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002131979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.266{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-919F-613B-A81B-01000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002131978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:55.251{AEE49BD1-919F-613B-A81B-01000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007555855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 12241200x80000000000000007555854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 13241300x80000000000000007555838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007555837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007555830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.365{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.365{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007555828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060 12241200x80000000000000007555827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0 13241300x80000000000000007555826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\7060\0Binary Data 12241200x80000000000000007555825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\7060 10341000x80000000000000007555824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.365{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007555823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0Binary Data 13241300x80000000000000007555822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0Binary Data 12241200x80000000000000007555821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007555820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\9`y 13241300x80000000000000007555819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0Binary Data 13241300x80000000000000007555818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.365{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0Binary Data 12241200x80000000000000007555817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007555816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\9`yBinary Data 12241200x80000000000000007555815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007555814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x80000000000000007555808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}70604148C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0ca3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x80000000000000007555806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007555803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}70604148C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0c7f|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007555802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 12241200x80000000000000007555786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000007555784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x80000000000000007555783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.349{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.349{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000007555761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000007555758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000007555757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-3F48-6132-1600-00000000F001}12487400C:\Windows\system32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007555755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007555754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.333{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000007555753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{B72B41D4-5A4F-4814-9341-4B2AA29F0231} - OProcSessId.dat2021-09-10 17:10:55.286 13241300x80000000000000007555752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000007555751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000007555750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 13241300x80000000000000007555749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060\0Binary Data 12241200x80000000000000007555748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7060 734700x80000000000000007555747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.286{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000007555746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.285{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 734700x80000000000000007555745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.265{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13801.20796Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=DEAB06C2DDF8959448455176D2A1754E,SHA256=49708B1D39D76B2E9F096B95BCB30B6601D3B5C8E1D84830740EC25FE8F38F39trueMicrosoft CorporationValid 734700x80000000000000007555744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.265{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007555743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.265{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000007555742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13801.20808Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=58F3352E3A0867817F759EA7940F2E10,SHA256=86AFDD63CFCA5B03D5265A2828F073CA401FE00B555B40AD9A0F7A193E200315trueMicrosoft CorporationValid 734700x80000000000000007555741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13801.20442Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=AF5E26C38079AF31CCAA732B6A351A0D,SHA256=C0BBDC787DCD21EF78B89B6C18C81A1ECC8F5B4D3C4E2F412525FD70039E667DtrueMicrosoft CorporationValid 734700x80000000000000007555740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=42CCB21CAB1B66AA9C7FF859A4BED97B,SHA256=76EFA67F0B7EA66DEAB42DB051DBCBA4B05EC04032B1D8AAE5E7761D7C6CA24FtrueMicrosoft CorporationValid 734700x80000000000000007555739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000007555738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=F4FDCEA65C429F01EEC45163F005B5E3,SHA256=F3FF96E7EBF9E4BB43170456395F09C1DAB832B1F66EBFAFF5EF54344DB929D5trueMicrosoft CorporationValid 734700x80000000000000007555737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000007555736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000007555735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007555734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000007555733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007555732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007555731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.249{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007555730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8trueMicrosoft WindowsValid 734700x80000000000000007555729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=33E67D19ED73BD77FAB770F3677363E0,SHA256=3A7198AC7F995AE9FCA91372AFC3719C04417D638EE37EAA3162DE0A99F0F6B9trueMicrosoft CorporationValid 734700x80000000000000007555728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 734700x80000000000000007555727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13801.20688Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=A4816E74F5F4F3A1D9B6637EB47C8B23,SHA256=9447582F286D97A4707BB8A6847398637D742E5ED653804EE94E495E3E3BF339trueMicrosoft CorporationValid 734700x80000000000000007555726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13801.20854Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=88AD4C5ED7EE51A82DDB8DF471E749B6,SHA256=E21BE93D40924965E74C6D1619F3C9AEE1FE09F535C8260B61387984DF55BC2DtrueMicrosoft CorporationValid 12241200x80000000000000007555725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000007555724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000007555723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000007555722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.234{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000007555721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.234{4DF467A6-D3A4-6138-36CD-00000000F001}67805200C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+498a3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5206d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5132f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007555720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007555719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007555718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007555717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007555716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 12241200x80000000000000007555715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14 12241200x80000000000000007555714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6 23542300x80000000000000007555713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnkMD5=237A24E763D36F9E969634CFB73983D0,SHA256=C6B812D0258586A3BCD83EE26B6335AF56EA4DA5CE9E0AC3E605DE03E44C0D03falsetrue 12241200x80000000000000007555712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007555711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007555710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007555709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007555702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 12241200x80000000000000007555701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007555683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007555682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\2Binary Data 13241300x80000000000000007555681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\15Binary Data 11241100x80000000000000007555680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\PRD.docx.lnk2021-09-10 17:10:55.218 12241200x80000000000000007555679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007555678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007555677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007555675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007555674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007555673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007555672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007555670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007555669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 10341000x80000000000000007555665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-D3A4-6138-36CD-00000000F001}67805200C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5eac4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5fb06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+178f5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 12241200x80000000000000007555664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000007555660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 12241200x80000000000000007555659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007555653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-D3A4-6138-36CD-00000000F001}67805200C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4177c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18b13|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18013|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19af2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 12241200x80000000000000007555652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007555647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-D3A4-6138-36CD-00000000F001}67805200C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8f4a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+822c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007555646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000007555643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.218{4DF467A6-D3A4-6138-36CD-00000000F001}67805200C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7ae3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007555642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007555641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.218{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007555638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\PointsBinary Data 13241300x80000000000000007555637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007555636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\DisplayNamePRD.docx 13241300x80000000000000007555635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx 13241300x80000000000000007555634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\TypeDWORD (0x00000000) 12241200x80000000000000007555633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7} 12241200x80000000000000007555632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007555630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007555629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xd0e16b51) 12241200x80000000000000007555628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007555627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007555626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007555625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 12241200x80000000000000007555624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000007555623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007555622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007555621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007555620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007555618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007555604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007555603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007555602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007555601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007555600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007555599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000007555598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007555597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007555596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007555595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007555594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007555593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007555592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007555591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007555590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000007555589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007555588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007555586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 734700x80000000000000007555585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 13241300x80000000000000007555584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007555583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 734700x80000000000000007555582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x80000000000000007555581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007555580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007555579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007555578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007555577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007555576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007555575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13801.20634Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=89F83DB0358154696068C1A1A2C48B76,SHA256=97A0AC1E7CF73E000BC13BF560BA088C79797604E5E64F21B6DB843CD16742FFtrueMicrosoft CorporationValid 734700x80000000000000007555574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007555573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000007555572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 734700x80000000000000007555571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007555570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll10.0.19041.1074 (WinBuild.160101.0800)Client Virtualization SubsystemsMicrosoft® Windows® Operating SystemMicrosoft CorporationAppVISVSubsystems64.dllMD5=90B77DF9501D41C1FC3B9B08BF739CBD,SHA256=B767361DEEBE62459AD8D6124C9E94B0A20F09EA1C53F6111B7B71252B703A04trueMicrosoft CorporationValid 734700x80000000000000007555569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.202{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 13241300x80000000000000007555568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007555567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.202{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007555565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007555564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 13241300x80000000000000007555563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LaunchCountDWORD (0x00000007) 13241300x80000000000000007555562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LastAccessedTimeQWORD (0x01d7a666-0xd0df0230) 734700x80000000000000007555561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000007555560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007555559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007555558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\JVAJBEQ.RKRBinary Data 734700x80000000000000007555557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007555556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499trueMicrosoft CorporationValid 12241200x80000000000000007555555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000007555554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007555551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}24288072C:\Windows\explorer.exe{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007555550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:55.198{4DF467A6-919F-613B-8C22-01000000F001}7060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx" /o ""C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 12241200x80000000000000007555549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007555546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007555545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007555544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007555543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007555542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.187{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007555541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:55.182{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 354300x80000000000000007555540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:36.048{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-291.attackrange.local56870-false72.21.81.240-80http 23542300x80000000000000002132008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:56.951{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A7A2ABF867CCE1543E8AA41CDF63F3,SHA256=8836B16104B47C1B0E7D993B90DB2F017D92468863D794616E7FEE6B9D85BFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:56.667{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A5944E72F254BB40E6C7F50EBA5635,SHA256=9D984003DB61E9C41E2D151530A5BA2BDE4464C9F33CC4E04E333CC8356FCBFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971526CC07FD7B326C8A85CB21DAA683,SHA256=5CF062744CB8AA83E183660B4EF439ABE47D5E60F2A93DF655716AFCDCC66E33falsetrue 11241100x80000000000000007555885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 11241100x80000000000000007555884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C616D2C923A49741CE8E7711C423361D,SHA256=7DAD73E0365475B6DD8A92C34C056127BBCF810057C43CBC798BFE5BFD61E5FEfalsetrue 23542300x80000000000000007555882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=257B7EEF5847D3D468BE1D7728976719,SHA256=D6963CEF94AF67946FE5B55F5E49C0C7FF652C90CAC52B26545372B7998B0975falsetrue 11241100x80000000000000007555881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:56.085{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCCE8BA80C729C6858B1DB0A5C1FF65A,SHA256=E11E290788EE417B92B319405116BA5BFAE72E3EB4E99B7AD8BB0E84ADC97D97falsetrue 11241100x80000000000000007555895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.761{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E308E37DA87792EE52DB13C237AFB28D,SHA256=3B34394642C5F9C197A2090F89EBD54EC54E1783965AE59B1A321867355711DFfalsetrue 11241100x80000000000000007555893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81419FA124B41072522849995B363C2,SHA256=E8A3BF4F30382F899447C5AB998D56B8E588A49071E84385E7560F4A9BB85896falsetrue 11241100x80000000000000007555891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.414{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.414{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E2CD4221DFD68248EBC6ACD8B5FA72,SHA256=1F24A8C6CD6B807DC3B085D27D08257C2C70A5ED5D683E53FF63763F24CFF176falsetrue 23542300x80000000000000002132010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:57.668{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90253461909B217D5E6B2FF4DE0DA9A,SHA256=A103FE5A77A2149ECAB8544468D6CCA8558C4E334738E697910139EB851521D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:48.838{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62387-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007555889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C98F7CFF1717DCC52505626749B6934,SHA256=366D04C9B54020D4CE164C9DAB0412B2394D83E0431A47EB4E223B7D7EA43517falsetrue 23542300x80000000000000002132011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:58.671{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739797C3DC5BB59970CFC53D6E0D4120,SHA256=EF08B95B914BAB344A8DCBDF6ED04006BF80AEB4B0C1773166B13451D8AEEF98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007555970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10250A1935CCDE571E15EF5C1D6731B,SHA256=E87C16F2E95DAE56E90BCC6F39FF4797F3CD13301D4D4043B065CE684CEA01EEfalsetrue 23542300x80000000000000007555968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF95EDE481D72FC30A3AEDE85A089FB3,SHA256=31B57940DFF33EF4E38CC157898329155E9F37848F83101F53FE1A7D8CC80EDDfalsetrue 13241300x80000000000000007555967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000007555966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,1074 15,2413 15,827 15,134 15,2402 15,129 15,1001 15,2159 10,103 15,2324 15,185 15,1000 15,121 15,2401 15,1445 15,1338 50,951 15,1338 10,999 15,226 15,1282 50,831 15,1282 10,1338 15,2430 15,1282 15,132 15,1128 15,2328 15,2087 15,850 15,998 15,1039 15,828 15,2323 15,108 15,829 15,2088 15,335 15,830 15,1255 15,974 15,1249 15,670 15,671 15,1002 15,111 15,332 15,669 15,291 15,1249 10,70 50,2327 15,120 15,184 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000007555965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000007555964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,34968335,17134338,19972417,21378256,18409363,20039442,40920709,19200086,19677900,24131419,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000007555963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000007555962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000007555961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000007555960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007555959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000007555958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000007555957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000007555956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000007555955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000007555954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000007555953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000007555952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000007555951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000007555950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000007555949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000007555948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007555947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007555946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007555945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007555944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\RulesEndpoint 12241200x80000000000000007555943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000007555942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007555941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000007555940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007555939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000007555938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000007555937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007555936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\RulesEndpointhttps://nexusrules.officeapps.live.com/nexus/rules?Application=winword.exe&Version=16.0.13801.20864&ClientId={00CEB3D7-CF48-44DD-AADB-A3822E5F5F29}&OSEnvironment=10&MsoAppId=0&AudienceName=Production_DC&AudienceGroup=Production&AppVersion=16.0.13801.20864& 11241100x80000000000000007555935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml2021-09-08 15:20:44.831 23542300x80000000000000007555934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlMD5=7783B4253D3D08D1587622A1179A96D3,SHA256=11F3561177D3253DCC0E9D3F32D0B5C6672093601D2D69FB6D373BB2A3BB312Afalsetrue 11241100x80000000000000007555933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.528{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007555932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:58.528{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0651C63766DED7C91B0CBA16FF821A23,SHA256=4EED6B37D9E297B1B730B678258CE03D86623E0F57452646A8660AC7280CBD05falsetrue 13241300x80000000000000007555931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\winword.exeFri, 10 Sep 2021 17:10:58 GMT 13241300x80000000000000007555930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.528{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\winword.exe_queriedQWORD (0x00000000-0x613b91a2) 13241300x80000000000000007555929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.477{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://hidusi.com/94cc140dcee6068a/\EnableBHODWORD (0x00000000) 12241200x80000000000000007555928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.477{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://hidusi.com/94cc140dcee6068a/ 13241300x80000000000000007555927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.397{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007555926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.397{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007555925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000007555924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities827 15,134 15,2086 15,1074 15,2413 15,2402 15,129 15,2159 10,1001 15,103 15,2324 15,121 15,1000 15,185 15,1445 15,2401 15,1338 50,1338 10,951 15,1282 50,226 15,999 15,1282 10,831 15,2430 15,1338 15,1282 15,1128 15,132 15,2087 15,2328 15,850 15,1039 15,998 15,828 15,829 15,108 15,2323 15,335 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,671 15,111 15,1002 15,669 15,332 15,291 15,1249 10,70 50,2327 15,184 15,120 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000007555923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000007555922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019972417,21378256,18409363,20039442,40920709,19200086,19677900,24131419,17134338,34968335,8758344,23979203,18375312,18658649,17634580,51655840,18658648,19677907,17183040,17698823,21378211,17650967,18658650,18948503,34968340,18674530,18637650,21313610,18948102,17126295,9319450,18409416,36517339,18948101,18400089,17634578,36761792,34968342,20979747,21378249,21030802,50890251,34968338,34968337,24470607,34968339,7690258,34968341,38013077,6366290,8448079,36274763,34968589,24406167,17182941,20027008,20027009,17182979,7690254,23205313,9176926,17622912,8263521,5850584,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000007555921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000007555920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000007555919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000007555918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007555917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000007555916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000007555915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000007555914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000007555913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000007555912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000007555911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000007555910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000007555909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000007555908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000007555907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000007555906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007555905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007555904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007555903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007555902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000007555901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007555900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000007555899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007555898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000007555897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000007555896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:10:58.160{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 23542300x80000000000000002132012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:59.689{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6311D13EACA707CE956576EF6D5E439F,SHA256=F40D1CFED4AF7A16A8A4F89764A3C85F323D07EB97047D7C5F05FC3B8FCE8325,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007555981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:59.574{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F05D8\VirtualDesktopBinary Data 12241200x80000000000000007555980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:10:59.574{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F05D8 11241100x80000000000000007555979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:59.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:59.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383E170BAEF28531EE664A95E38833F0,SHA256=4531FBE2500FB6F47FEE660C387EF3DEF4B97840731EDEDA681A4E1C8A01608Ffalsetrue 13241300x80000000000000007555977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:59.511{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007555976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:10:59.511{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007555975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:59.511{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007555974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:59.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:59.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066DD984612220CE9605E3C54F0C2E1E,SHA256=F43F89D7F9FC76A45BE107975A4BE6760AD14E65022011CA28AD74A613734A94falsetrue 22542200x80000000000000007555972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:39.260{4DF467A6-915E-613B-8222-01000000F001}5676hidusi.com0::ffff:127.0.0.1;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x80000000000000002132013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:00.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B795728A1C29EE025680F3CF61E978B7,SHA256=784AA5BEB63429A06E90C2B6E700BE886D7658810DF84C49B053E8EBE39F8984,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:00.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:00.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C52ABFA276620E46D8ABDE93F7BDD3C,SHA256=BEBEE18F42B53FB4F2096132EE32A9069CDA682F37B234284CF590DBEBFD0615falsetrue 11241100x80000000000000007555987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:00.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007555986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:00.525{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF172B0D1EDDD75E14615A135E63312E,SHA256=5BB5ABD0E0D622E8DD456F0D5E2D8B3CD2E1E19B29C99D02A11A555161438544falsetrue 22542200x80000000000000007555985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.012{4DF467A6-915E-613B-8222-01000000F001}5676nexusrules.officeapps.live.com0type: 5 prod.nexusrules.live.com.akadns.net;::ffff:52.109.8.19;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 354300x80000000000000007555984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.092{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56878-false52.109.8.19-443https 354300x80000000000000007555983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:41.034{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51799- 354300x80000000000000007555982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:40.965{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56877-false10.0.1.12-8000- 23542300x80000000000000002132014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:01.691{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6DCC1AD3ED745BD80AF1425CDD4CF5,SHA256=72CF5711786D8B332F487443D3CACE0F79F8420AD75923551AE1BFD20155AAC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007555999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=748E4A9E75BC398549B34E315F2EB1D3,SHA256=9580C10072CFAEA976DC553526F10F04681E47F52741975B0B1596C0FFA2D1BDfalsetrue 11241100x80000000000000007555997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F93189379FD9DB08D6FC6DB67625B5B,SHA256=A557B82746BC16185926BA0770E2AD709592506C7193224726F5DA07AC4CE0BDfalsetrue 11241100x80000000000000007555995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000007555994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007555993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B91D37143E9F3AE834EC1FAA13ECA794,SHA256=866B5B5D6DBF4FF1744DC51C9E2E7D18BB2F38D87044AD16ED12E7435092CFC2falsetrue 23542300x80000000000000007555992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00D592E401B3ADB6D94D94F73DB3634,SHA256=B830593473043DBAAFC9AD1AD4F04540EED87BCEC5EB361C67A89B65FE27F87Afalsetrue 11241100x80000000000000007555991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007555990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:01.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=723702842A38651944ED1E527073B3CE,SHA256=76EC142423F5CD907AB9EF46E9873D3F49288A1261C1CD03C7706F3BF1B1989Ffalsetrue 11241100x80000000000000007556003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:02.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:02.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074C46B4BF8D2E4C4AAF6DDD863B19BA,SHA256=A4A339752BAC94E8C658BE6BB25E01955605C234ED5036C52659DD67A64B1D6Ffalsetrue 11241100x80000000000000007556001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:02.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:02.553{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BFD95CA4CDF4AA40CC666231245824,SHA256=506BAF36BEF547DC5A5000C0AE7751A2F2823A6259084287623519E55EE9C669falsetrue 23542300x80000000000000002132015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:02.693{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378FCFEEEA5C404F732C0DAA1EF49F01,SHA256=3888D98E122DA41463C6593D7B1AC735C3A6EDB005DA3C3A00961F335C2D1308,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007556067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.919{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007556066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.871{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.871{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C01A0\VirtualDesktopBinary Data 12241200x80000000000000007556064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.871{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C01A0 10341000x80000000000000007556063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.871{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.804{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADA634E29289C7C8068FD629AB56076,SHA256=111EE1B6A22720D11AC0B0EA1A8FD4727E5162EE1D01086618CC9F04F0747F0Bfalsetrue 12241200x80000000000000007556060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 10341000x80000000000000007556059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\PointsBinary Data 13241300x80000000000000007556056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\LastAccessedTimeQWORD (0x00000000-0x00000000) 10341000x80000000000000007556055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\TypeDWORD (0x00000000) 12241200x80000000000000007556053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007556052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 10341000x80000000000000007556050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 10341000x80000000000000007556046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\9(! 13241300x80000000000000007556044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469AD00\2469AD00Binary Data 12241200x80000000000000007556043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469AD00 11241100x80000000000000007556042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\PRD.docx.LNK2021-09-10 17:11:03.773 12241200x80000000000000007556041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007556040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xd5fd2850) 23542300x80000000000000007556039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\PRD.docx.LNKMD5=DD09687B1B2A8F077475497253AB5370,SHA256=4C5F627CC40CC61E92A0635B9DB23130BDE69E5D50491ECCB5242798704FB1EDfalsetrue 12241200x80000000000000007556038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007556037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x80000000000000007556032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 10341000x80000000000000007556027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.773{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007556024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\PRD.docx.LNK2021-09-10 17:11:03.773 13241300x80000000000000007556020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 1[F00000000][T01D7A666D5FD20D0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ 13241300x80000000000000007556019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 4[F00000000][T01D7A59EFF901F10][O00000000]*C:\Users\Administrator\Desktop\5047669871509504\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007556018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 3[F00000000][T01D7A5A1B56CE7D0][O00000000]*C:\Users\Administrator\Desktop\5175182148927488\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007556017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 2[F00000000][T01D7A666B3EFA120][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 13241300x80000000000000007556016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.773{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 1[F00000000][T01D7A666D5FD20D0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx 13241300x80000000000000007556015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.720{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B01A0\VirtualDesktopBinary Data 12241200x80000000000000007556014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.720{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B01A0 11241100x80000000000000007556013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.651{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7D36ABB6-6C8D-40DF-8226-0CCEED70F740}.tmp2021-09-10 17:11:03.651 11241100x80000000000000007556012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.572{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D300797D2B89D403CDCE9783FAA3361,SHA256=F00F4581765F7E6584DCFD5A805B6AF31D3ACDBB4F2FC54B46A801B02DB2B2F2falsetrue 13241300x80000000000000007556010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.068{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A01A0\VirtualDesktopBinary Data 12241200x80000000000000007556009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.068{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A01A0 13241300x80000000000000007556008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.021{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 13241300x80000000000000007556007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.021{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 12241200x80000000000000007556006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:03.021{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007556005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.021{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007556004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:03.005{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 23542300x80000000000000002132019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:03.695{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F09A0896FED918EEF929288FE85F7A,SHA256=2E5C3FC1C6657E7676CB7FEE36EDBF48273F61AAE0AE6A02B5A56C0512BD2A13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:54.832{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62388-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:03.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D11BEBD2FDD28565EF2704881F0011,SHA256=49F2862737C3E97090352BB6FB42DBA969C2792537C8628DCE6913F4185105B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:03.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF1772DD1232218336D18099D31D1C6,SHA256=269033501BEA394E359A23F2F0B7BCCE551A90BDDF80700A9677AD5A5FFEEE16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:04.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:04.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC5298EB4052C956330533D55312BFB,SHA256=949501175DD07D14B43E08508F622C88A4151D2F909E6952FD0A3FDCE046E97Afalsetrue 11241100x80000000000000007556069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:04.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:04.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13FE140A2FE710088CB43DB7320AA56D,SHA256=7FCDFDE70A4481372BCEEAC1B690298E8B428A9F9A12CC8A0E4D3C575D46A8E7falsetrue 23542300x80000000000000002132020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:04.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489099D1A6F09F150896B5251190A077,SHA256=E87CD12DA3F24B0BF465FEE207BC2A2816D6601A4B3EE71E9C027D548E1098BA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007556217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007556216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007556215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007556214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007556213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 10341000x80000000000000007556212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5eac4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5fb06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+178f5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000007556211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4177c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18b13|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18013|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19af2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x80000000000000007556210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8f4a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+822c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14 12241200x80000000000000007556208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6 10341000x80000000000000007556207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7ae3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007556206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnkMD5=DC986D754C12736737B43631EE816D90,SHA256=F27D140A97CE90F842B99F37D280205F363D6EEF2CE434D0F868E76DB204703Bfalsetrue 12241200x80000000000000007556205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007556204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007556203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007556202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000007556201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007556200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007556199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3Binary Data 13241300x80000000000000007556198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\16Binary Data 11241100x80000000000000007556197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\A Letter before court 4.docx.lnk2021-09-10 17:11:05.985 12241200x80000000000000007556196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007556195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 734700x80000000000000007556194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000007556193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007556191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007556190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007556189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007556188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007556186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 734700x80000000000000007556185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.985{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000007556184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007556183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.985{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007556180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PointsBinary Data 13241300x80000000000000007556179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007556178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\DisplayNameA Letter before court 4.docx 13241300x80000000000000007556177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx 13241300x80000000000000007556176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\TypeDWORD (0x00000000) 12241200x80000000000000007556175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5} 12241200x80000000000000007556174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 11241100x80000000000000007556173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3177A6E6AB08F21D7ABDF780B7D8188,SHA256=197E487A4F3687902F13B6491FECD71423C98E41B38F8A7A8BE173D264B6C2D0falsetrue 13241300x80000000000000007556171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xd74c4c6f) 12241200x80000000000000007556170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007556169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 734700x80000000000000007556168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000007556166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007556165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007556164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007556163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007556162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 23542300x80000000000000002132021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:05.699{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A57400A2BE1C06B7FE0DB5ED40108A,SHA256=4E9E5A6CBA85062DB92CBA7B93F53E3B7E0C392EA8E76D647D88F3E9BFCC7A81,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007556161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007556160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007556159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007556158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 734700x80000000000000007556154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 734700x80000000000000007556152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 734700x80000000000000007556151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007556150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007556148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007556147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007556146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 734700x80000000000000007556145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007556143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13801.20634Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=89F83DB0358154696068C1A1A2C48B76,SHA256=97A0AC1E7CF73E000BC13BF560BA088C79797604E5E64F21B6DB843CD16742FFtrueMicrosoft CorporationValid 12241200x80000000000000007556140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007556139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll10.0.19041.1074 (WinBuild.160101.0800)Client Virtualization SubsystemsMicrosoft® Windows® Operating SystemMicrosoft CorporationAppVISVSubsystems64.dllMD5=90B77DF9501D41C1FC3B9B08BF739CBD,SHA256=B767361DEEBE62459AD8D6124C9E94B0A20F09EA1C53F6111B7B71252B703A04trueMicrosoft CorporationValid 734700x80000000000000007556136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000007556135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007556134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007556133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007556132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.969{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007556131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.969{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.968{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000007556129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.968{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007556128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.967{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LaunchCountDWORD (0x00000008) 13241300x80000000000000007556127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.967{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LastAccessedTimeQWORD (0x01d7a666-0xd74be7f0) 734700x80000000000000007556126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.967{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000007556125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.967{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007556124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.967{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 734700x80000000000000007556123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.967{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499trueMicrosoft CorporationValid 13241300x80000000000000007556122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.967{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\JVAJBEQ.RKRBinary Data 12241200x80000000000000007556121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.966{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000007556120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.966{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.966{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.965{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.965{4DF467A6-3EE5-613A-21FA-00000000F001}2428804C:\Windows\explorer.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.964{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx" /o ""C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 12241200x80000000000000007556115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007556112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007556111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007556110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007556109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007556108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.947{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007556106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007556105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A4061F0F3A3FDDCF7D5E87B4A1067B8D,SHA256=D5C71B1A7F40E2E459F227D1CD4E5E7B2BA43DB93934A370541575DF6189C73Dfalsetrue 534500x80000000000000007556104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.716{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exe 11241100x80000000000000007556103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007556102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A4061F0F3A3FDDCF7D5E87B4A1067B8D,SHA256=D5C71B1A7F40E2E459F227D1CD4E5E7B2BA43DB93934A370541575DF6189C73Dfalsetrue 11241100x80000000000000007556101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007556100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B2273A6F664958DE88F01F35341A636,SHA256=79A4C1B69AD83112CD107A2F92B17A5A27C414A8884B44CAE514DB1EB963B493falsetrue 12241200x80000000000000007556099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.701{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 13241300x80000000000000007556098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data 13241300x80000000000000007556097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data 13241300x80000000000000007556096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 13241300x80000000000000007556095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201) 13241300x80000000000000007556094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000007556093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000007556092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323) 13241300x80000000000000007556091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0 13241300x80000000000000007556090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005) 13241300x80000000000000007556089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data 13241300x80000000000000007556088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003) 12241200x80000000000000007556087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.685{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB} 10341000x80000000000000007556086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.685{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.685{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.685{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007556083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.685{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515trueMicrosoft WindowsValid 734700x80000000000000007556082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.685{4DF467A6-9162-613B-8422-01000000F001}6392C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000007556081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.670{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007556080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.670{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007556079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.668{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.667{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.667{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007556076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:05.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E238F25BA3807A1252ABAE0C84DD86,SHA256=5DD271D2F6D56A180A8E32CA1C968DD6036246DF852F009C5173199BA4BA8EF1falsetrue 12241200x80000000000000007556074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:05.202{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 354300x80000000000000007556073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:46.738{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56888-false40.97.84.34-443https 354300x80000000000000007556072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:45.988{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56887-false10.0.1.12-8000- 11241100x80000000000000007556320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007556319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A1459D17A42EE90520C42BCE223FF6F,SHA256=59D43790E9E8488D73B162FF4660AAC67BF5043093383AA4B3F95D51BFA11753falsetrue 11241100x80000000000000007556318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007556317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.783{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ECE68E6FB8FFEBC3F02B7BC12D288B35,SHA256=8E0BF0FB4571B88FECDE3FFECBD3FBBBE059BEC260FFDCFD86E10A38CBF0D2FBfalsetrue 11241100x80000000000000007556316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE3649C9765F2B3140D008FDB4635BD8,SHA256=49AAE804B5116EF4A15D2D4CFCF78954580346A980B02F9CA0625B7EDDA79DE8falsetrue 11241100x80000000000000007556314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.715{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52759CF37C18928700F464FFF3AB70F8,SHA256=42223BFA6753C4F5150678AA5D0D7419AE3B9DCC2F2615CEF622474626D61A11falsetrue 11241100x80000000000000007556312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AD7C49AA6366EC897545D51CAB1919,SHA256=CD81C629F8983A9145A52B4014C1636A948F9192341BCB26857BB43B0E5DAFECfalsetrue 12241200x80000000000000007556310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.500{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.500{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.484{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 534500x80000000000000007556305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.384{4DF467A6-915F-613B-8322-01000000F001}7048C:\Windows\System32\wbem\WmiPrvSE.exe 23542300x80000000000000007556304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.100{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\21805D30.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7falsetrue 534500x80000000000000007556303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.100{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000007556302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.100{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\21805D30.wmf2021-09-10 17:11:06.100 11241100x80000000000000007556301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BFE44BAADCCC8327130BC7ACF343ED,SHA256=E34EF61B0B9ABE2A3FD1A3390494235CE91BE3214CC8D15F1B8F17F4E271C8E0falsetrue 11241100x80000000000000007556299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$Letter before court 4.docx2021-09-10 17:11:06.085 11241100x80000000000000007556298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5BF948AC-1859-472C-8A43-B8342A2E83B2}.tmp2021-09-10 17:11:06.085 11241100x80000000000000007556297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{743EDD07-21C7-44D8-97CF-2B48F6A3A109}.tmp2021-09-10 17:11:06.085 11241100x80000000000000007556296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{802746A9-F4BD-4814-B33C-100247AE0FB0}.tmp2021-09-10 17:11:06.085 11241100x80000000000000007556295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B36ABA33-FEFA-4603-A11D-AD0A49C32D3E}.tmp2021-09-10 17:11:06.085 13241300x80000000000000007556294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\(2!Binary Data 12241200x80000000000000007556293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.085{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 13241300x80000000000000007556292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.085{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007556291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.085{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007556290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.085{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.085{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x80000000000000007556288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.085{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856 12241200x80000000000000007556286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0 13241300x80000000000000007556285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3856\0Binary Data 23542300x80000000000000002132022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:06.701{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BF02762355560E5A757C24FDE2260D,SHA256=47CA19B87BC3FBEBA8807B72D677139A987DECC9A5898C65309C790AEE8A306B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007556284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3856 10341000x80000000000000007556283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.069{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0Binary Data 13241300x80000000000000007556281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007556280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0Binary Data 12241200x80000000000000007556279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007556278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x1" 10341000x80000000000000007556277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.069{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.069{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0Binary Data 13241300x80000000000000007556274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.069{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0Binary Data 11241100x80000000000000007556273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCEDE85E871AA2DF6F6A2BAA5DDFDF4D,SHA256=162BEDB8320BAED1091AA4B2456097FF81846A1E6E9E2FBC28D836887CEF0D78falsetrue 13241300x80000000000000007556271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.068{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x1"Binary Data 12241200x80000000000000007556270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.068{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 10341000x80000000000000007556269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.068{4DF467A6-91A9-613B-8D22-01000000F001}38566268C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0ca3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.067{4DF467A6-91A9-613B-8D22-01000000F001}38566268C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0c7f|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.067{4DF467A6-91A9-613B-8D22-01000000F001}38566268C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0ca3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.067{4DF467A6-91A9-613B-8D22-01000000F001}38566268C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll+4e0c7f|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9644d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+8c448d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6d9ae|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+6dcff|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+f3e96|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f7351|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6c86|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f6be9|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e7134|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+14ba49|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e884a|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87bc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23A6C7D8FA75D299AC58D933CDBEFFB,SHA256=9EDEEAFEB759193954E38F34A5728CAE9D450864DFF23D0BFD446E35CBE6D57Efalsetrue 734700x80000000000000007556263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 734700x80000000000000007556262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000007556261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000007556258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000007556257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-3F48-6132-1600-00000000F001}12487400C:\Windows\system32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007556254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000007556253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{12CE83BD-F4A0-4C1A-A804-FA9FDD822933} - OProcSessId.dat2021-09-10 17:11:06.047 13241300x80000000000000007556252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000007556251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000007556250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 13241300x80000000000000007556249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856\0Binary Data 12241200x80000000000000007556248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3856 734700x80000000000000007556247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.047{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000007556246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 734700x80000000000000007556245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13801.20796Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=DEAB06C2DDF8959448455176D2A1754E,SHA256=49708B1D39D76B2E9F096B95BCB30B6601D3B5C8E1D84830740EC25FE8F38F39trueMicrosoft CorporationValid 734700x80000000000000007556244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007556243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000007556242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13801.20808Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=58F3352E3A0867817F759EA7940F2E10,SHA256=86AFDD63CFCA5B03D5265A2828F073CA401FE00B555B40AD9A0F7A193E200315trueMicrosoft CorporationValid 734700x80000000000000007556241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.032{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13801.20442Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=AF5E26C38079AF31CCAA732B6A351A0D,SHA256=C0BBDC787DCD21EF78B89B6C18C81A1ECC8F5B4D3C4E2F412525FD70039E667DtrueMicrosoft CorporationValid 13241300x80000000000000007556240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:06.032{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x80000000000000007556238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=42CCB21CAB1B66AA9C7FF859A4BED97B,SHA256=76EFA67F0B7EA66DEAB42DB051DBCBA4B05EC04032B1D8AAE5E7761D7C6CA24FtrueMicrosoft CorporationValid 734700x80000000000000007556237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000007556236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=F4FDCEA65C429F01EEC45163F005B5E3,SHA256=F3FF96E7EBF9E4BB43170456395F09C1DAB832B1F66EBFAFF5EF54344DB929D5trueMicrosoft CorporationValid 734700x80000000000000007556235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000007556234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000007556233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000007556231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007556230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007556229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007556228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8trueMicrosoft WindowsValid 734700x80000000000000007556227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=33E67D19ED73BD77FAB770F3677363E0,SHA256=3A7198AC7F995AE9FCA91372AFC3719C04417D638EE37EAA3162DE0A99F0F6B9trueMicrosoft CorporationValid 734700x80000000000000007556226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000007556225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 734700x80000000000000007556224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.016{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13801.20688Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=A4816E74F5F4F3A1D9B6637EB47C8B23,SHA256=9447582F286D97A4707BB8A6847398637D742E5ED653804EE94E495E3E3BF339trueMicrosoft CorporationValid 734700x80000000000000007556223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.000{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13801.20854Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=88AD4C5ED7EE51A82DDB8DF471E749B6,SHA256=E21BE93D40924965E74C6D1619F3C9AEE1FE09F535C8260B61387984DF55BC2DtrueMicrosoft CorporationValid 12241200x80000000000000007556222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.000{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000007556221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.000{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000007556220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.000{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000007556219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:06.000{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000007556218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:06.000{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-91A9-613B-8D22-01000000F001}3856C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+498a3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5206d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5132f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=310315304878B192A318D08B108FAEC8,SHA256=0F7940DADAA210DD1936DF2C3DA30AF5F5B02BC85EDBC7D70EE78E67992BCBDFfalsetrue 11241100x80000000000000007556325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.745{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E7756934504BD1EFA7CD082BA6E72,SHA256=2261CDFE753D9D2FB6349B46D033473263EF260770CAF55E0F6EDB868B982125falsetrue 11241100x80000000000000007556323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E558280DD8C6B2BA47C7FD37CB1C58B8,SHA256=0930BE84EDE06D62A7D3D886065CD4FDF5C62AB4D196388F19B66B328F4C3F18falsetrue 10341000x80000000000000007556321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:07.245{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.937{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91AB-613B-AA1B-01000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.936{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.935{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-91AB-613B-AA1B-01000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.934{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91AB-613B-AA1B-01000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.919{AEE49BD1-91AB-613B-AA1B-01000000F101}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:07.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB3318FEE360901B269FB82A9AA8D2D,SHA256=1247251B534961BECDB1F8F32600118250745EB76E4F706CE9FA3C99640C2B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.871{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BB0ABE0188E5C9AF30C7AC6BBC1E5D,SHA256=00C3BA421650B8B0E71F6AFFBABAB42773B419E95133949E3ACB792A1D6F6269,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:08.781{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:08.781{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27865A9FA66018046C48EF5477B4D1E3,SHA256=FBECBCE5DA0D474ED2B1E54C3FAF7C69AB2529E129A9757E3EA2A68DD1A89B74falsetrue 11241100x80000000000000007556329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:08.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:08.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F49085D122E3A6D65445DEEBBCC71A4,SHA256=3F1438B8F3D953EDE8CF9776F17D3159DD13E982DFA24225306CCAE87376FBBEfalsetrue 10341000x80000000000000002132054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.740{AEE49BD1-91AC-613B-AB1B-01000000F101}5956504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91AC-613B-AB1B-01000000F101}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-91AC-613B-AB1B-01000000F101}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.618{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91AC-613B-AB1B-01000000F101}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.603{AEE49BD1-91AC-613B-AB1B-01000000F101}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002132040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:10:59.974{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62389-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E26FE01EDC8980054EB5B833E7255E8,SHA256=0030C4479A16C4031FF7A01404463E6E2C66FEF1F4F35CA4F4B8D1AFB7CAA380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D11BEBD2FDD28565EF2704881F0011,SHA256=49F2862737C3E97090352BB6FB42DBA969C2792537C8628DCE6913F4185105B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:08.055{AEE49BD1-91AB-613B-AA1B-01000000F101}7205676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.886{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503AD702EACE249F66C2CC62F660CD73,SHA256=16C6151626D0535B6DE36B35E73C400E4EE3FD6F4496C6AD67752A72BE68179E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:09.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:09.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D23BBFE385958D8747C00FC7FC14350,SHA256=B277C8FE6E9282BB8E586502AE96011F24534E453C7C04250A4678901517FBB6falsetrue 23542300x80000000000000002132070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.671{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E26FE01EDC8980054EB5B833E7255E8,SHA256=0030C4479A16C4031FF7A01404463E6E2C66FEF1F4F35CA4F4B8D1AFB7CAA380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.439{AEE49BD1-91AD-613B-AC1B-01000000F101}24402540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91AD-613B-AC1B-01000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-91AD-613B-AC1B-01000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.318{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91AD-613B-AC1B-01000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:09.303{AEE49BD1-91AD-613B-AC1B-01000000F101}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007556335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:09.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:09.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D257A194A3AE156DE1F7D9558290918,SHA256=61D6EC097D95051A9118254ADABA4CD91323EE2F10CFB1427CC0956FAA0901CDfalsetrue 13241300x80000000000000007556333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:09.096{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:09.096{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 23542300x80000000000000002132072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:10.903{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EB656090E3782CCCA7D43B8B5F6158,SHA256=211B44464E5A496157F8234B574DFD413201F8D21A7ED1AA8C4300C53F4529C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.808{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428196F719B699F204B9E33CB6173446,SHA256=AEE2E10249ED1651C26EECD89E3AFA72FEB30997A130AA484B730030440990D3falsetrue 354300x80000000000000007556346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:51.104{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56895-false10.0.1.12-8000- 13241300x80000000000000007556345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:10.278{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000110576\VirtualDesktopBinary Data 12241200x80000000000000007556344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:10.278{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000110576 11241100x80000000000000007556343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.209{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F255DB71.html2021-09-10 17:11:10.209 13241300x80000000000000007556342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:10.209{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:10.209{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007556340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.209{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:10.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4224BC3372C5837341A5F5B616C03FA0,SHA256=90EA18E7E23716E6F04B6F0E8C3615DFF5F06423EB7AB8D48B32B7C1E6BCBFCEfalsetrue 23542300x80000000000000002132074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:11.920{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C045C170468C97ADB1E44C40998DA7D,SHA256=05A2413B1C2365273FAF8D910A9581438B0BEC65819FE0A6ED512275A78B24EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45E4FC76C3C9EC46D3E38EFFDFE1F3E1,SHA256=556EB2355050B699033324D355C17F38D8B55C34368982C728CEC2B0FDB8F384falsetrue 11241100x80000000000000007556356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7214728FDD3F6D56B401BB56936B3A4,SHA256=035F47CD9849A67FBFF81C492BAEDFB78C4707BAE3F481160141FB7F98095325falsetrue 11241100x80000000000000007556354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.822{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDAE0377A8550B211B57C8908C23A09,SHA256=99793583B6D46CF484C60EA285781BD2A8FC40B44E489FF24BA05829A4643A21falsetrue 23542300x80000000000000002132073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:11.639{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C85FF6829745BA6C5DB284766C260E21,SHA256=A1D751861E54CE091E4757A378374B9AF6BAFC14CE6D9B7F8D0CE04E67DD9E5Afalsetrue 11241100x80000000000000007556350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:11.161{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70CD1F62A597B6FA6ADB675E69B8CCB8,SHA256=DCCCD28772E4C667053C984C2050E933CD94349981651CB304FE10B30F4F9ECDfalsetrue 11241100x80000000000000007556362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:12.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:12.836{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1450434EB4A2A6042FCBF602C3757DD0,SHA256=D8CA3F5FCFBBBEED253984D44A754E7FE2950B51AFF3F209BFF46B8B7FD47C19falsetrue 23542300x80000000000000002132076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:12.921{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEF27B99C5C5241E214042272B6275C,SHA256=FC31AA1D38C71A34874D88120A66E56327A064F6ED0B9E97E5B3FC15DD44D03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:12.874{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=455BFF22BC2E61295599DBFC2B740E29,SHA256=F77385AECE69545C0DC8BF7F3DF1039706C86C79EFC523E5FC825B45794E8C39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:12.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:12.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA29FFE56182A9F781840790458AA70,SHA256=53A0C9CD81D02BBF8823FC9822A5F10E5BCF7815CE234BD38770A8237DD0085Ffalsetrue 23542300x80000000000000002132078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:13.923{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985AF2EFFDA44BABFEF6FA9E41B20969,SHA256=EAD6E446115AF1A257FF06282A21658C6F59CF53129268531B5F7D67CF5445B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.856{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.856{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C2907E804A4DFB01703CB9069C9D22,SHA256=1C2F527F4D2001F4FF61148F19150CA64F0C7B7F5DA0A029139620D70E751D52falsetrue 11241100x80000000000000007556374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F17F8E9F94D7B4C96498D0A26B3E3185,SHA256=5650F671A73CCCDCA2FAB9265DD47A6A1FC090CA6AB195527D6970BE4AC6A984falsetrue 11241100x80000000000000007556372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F7E8E2F7F4E5C9A11DC9DF4FDC40EE92,SHA256=4D2C245CEAB4615802E90EAE0EC1EF3E69F60948657E300BE0D47D50DD7557ECfalsetrue 11241100x80000000000000007556370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=6D9E0F1E405D959FDC17FD8107C33877,SHA256=D9C02253B8B7A3B4623BF82FC8CF536915979CED86BE4ADFD2B8ED825F9A5186falsetrue 11241100x80000000000000007556368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=9399F382D47639FB559C7445256D8296,SHA256=6F0F1704AF3BA3E37C59490F6D82E3D9EFEF40211B08FC619123843139F44DBCfalsetrue 11241100x80000000000000007556366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=1CDA90EF8A29E0EF23F75DD74E65D1AC,SHA256=C124A54F6C86DCCE8D8F4239D612D7D0E81BBAD0939CD8CB930FB575B0075B1Afalsetrue 11241100x80000000000000007556364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007556363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:13.735{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=918768748827B49A9B6E4306C17281B4,SHA256=6DF47FE147F46F3EBF2051DD71BB0BF2D4A472E5A97D35995B152E8CD394441Efalsetrue 354300x80000000000000002132077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:04.422{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62390-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002132081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:14.943{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F1B18D44834FF7D095763A37EBA111,SHA256=DD9A791BC90D9AE86807FD5BCEAC55019AE9217476E22D294482B23E078853CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40FFD10FE5D89E32F03578FFCCDF2BF,SHA256=E16F2A7303F65654362E2440192D8B8D50EED0A7C147FB7056869553661B263Bfalsetrue 354300x80000000000000002132080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:05.862{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62391-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:14.092{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC9990408C0901041BD0B10626C762F0,SHA256=FFF015CBCE8E280D46BA9B8F376F3DC0FF9A03A1827EF3BD2619C79109CA4E2C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007556404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:14.549{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007556403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PointsBinary Data 13241300x80000000000000007556402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007556401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\TypeDWORD (0x00000000) 12241200x80000000000000007556400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007556399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xdc671c82) 12241200x80000000000000007556398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007556397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:14.533{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007556396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007556395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007556394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000007556393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x80000000000000007556392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2469d6fd.TMPMD5=C6AE71089F74E4302EE35418B4F56D64,SHA256=F29444B5259FA225EA8A3DCE8AA5023E57BF1D080E51A677D2332EA633E56E35falsetrue 11241100x80000000000000007556391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2469d6fd.TMP2021-09-10 17:11:14.533 254200x80000000000000007556390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9GLSB8DJX1OQHMWZFW6.temp2021-09-08 15:20:54.5192021-09-10 17:11:14.533 11241100x80000000000000007556389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.533{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9GLSB8DJX1OQHMWZFW6.temp2021-09-10 17:11:14.533 13241300x80000000000000007556388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.518{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.502{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.487{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.471{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.387{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000003904A2\VirtualDesktopBinary Data 12241200x80000000000000007556383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:14.387{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000003904A2 11241100x80000000000000007556382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.318{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F1D42ABE.html2021-09-10 17:11:14.318 13241300x80000000000000007556381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.318{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:14.318{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007556379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.318{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADAC019380717D4D4347A290E61ABFC2,SHA256=F095656346FFF794DABD9083AC29FE4D8BC28DD20E63838FB752EB2F7DE85F6Cfalsetrue 23542300x80000000000000002132083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:15.948{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86D919F93006F2A142DB005C41FE309,SHA256=AC9DED65E1051CD5F6C274AFE65BEE1EDDF1529CF39794AE576EBF45BC287145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:15.796{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9919MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007556496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.669{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\D3DCompiler_47.dll10.0.14393.3930 (rs1_release.200901-1914)Direct3D HLSL CompilerMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=6C441F5AD6724D68B27D9928C6C1170D,SHA256=EEA0AE3BDCEF59AF62F471E90C489044B8DB55BFF6377231E002A70AB1F8CF73trueMicrosoft WindowsValid 12241200x80000000000000007556495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007556494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007556493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007556492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007556491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007556490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007556489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007556488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007556487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007556485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007556484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007556483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007556480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007556479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007556478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007556476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007556475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007556474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.731{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007556472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007556471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.685{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007556470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.685{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007556469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007556468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007556467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}24285184C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A6\VirtualDesktopBinary Data 12241200x80000000000000007556464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A6 10341000x80000000000000007556463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.632{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.516{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.516{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3777F01CC0AA174188A136979972B0F0,SHA256=06168FE4F9F412D46BA894371B8D0C97D06E0FE7985C51841EE04BA0CAD1C904falsetrue 12241200x80000000000000007556460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007556459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:15.501{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007556458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:15.501{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\(2! 13241300x80000000000000007556457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.501{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469DAB7\2469DAB7Binary Data 10341000x80000000000000007556456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469DAB7 13241300x80000000000000007556453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PointsBinary Data 10341000x80000000000000007556452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007556450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\TypeDWORD (0x00000000) 10341000x80000000000000007556449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007556447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 10341000x80000000000000007556446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\A Letter before court 4.docx.LNK2021-09-10 17:11:15.485 12241200x80000000000000007556441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007556440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xdcf84a74) 12241200x80000000000000007556439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 23542300x80000000000000007556438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\A Letter before court 4.docx.LNKMD5=236E6917632262A1A7C5DA78F2D0CB1E,SHA256=327A53BBA594835C689B7192AD2D0482E5E3A05C10FDE912B6C7B69B5DCC46DDfalsetrue 10341000x80000000000000007556437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x80000000000000007556433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007556429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 10341000x80000000000000007556428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007556427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:15.485{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007556426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56766544C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56766544C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56761432C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}56766544C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\A Letter before court 4.docx.LNK2021-09-10 17:11:15.485 13241300x80000000000000007556420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 1[F00000000][T01D7A666DCF83CD0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ 13241300x80000000000000007556419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 5[F00000000][T01D7A59EFF901F10][O00000000]*C:\Users\Administrator\Desktop\5047669871509504\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007556418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 4[F00000000][T01D7A5A1B56CE7D0][O00000000]*C:\Users\Administrator\Desktop\5175182148927488\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007556417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 3[F00000000][T01D7A666B3EFA120][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 13241300x80000000000000007556416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 2[F00000000][T01D7A666D5FD20D0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx 13241300x80000000000000007556415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.485{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 1[F00000000][T01D7A666DCF83CD0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx 734700x80000000000000007556414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.432{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26EtrueMicrosoft WindowsValid 11241100x80000000000000007556413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.354{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0FC4ABF7-4E28-4140-B663-1CA9EDE67A79}.tmp2021-09-10 17:11:15.354 13241300x80000000000000007556412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.354{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\PotentialDataLossInfo2Binary Data 13241300x80000000000000007556411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.354{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 13241300x80000000000000007556410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.354{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\PotentialDataLossInfo2Binary Data 13241300x80000000000000007556409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:15.354{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 11241100x80000000000000007556408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:15.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6800391B7CE6ECDD5BEF16F2ACB74B8F,SHA256=B4A7154503DD46A7E939DF04E20AE5105CF47939A2FB2EE7FEED565C825B6BB0falsetrue 23542300x80000000000000002132085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:16.965{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38604C91D6AB875E8A85A36E8338CF33,SHA256=8322AD8C13835E17BF6178CADAA6DD58042C9E55B4FE3C2BC74E94631690189F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:16.797{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9920MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007556541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.848{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.848{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.848{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.848{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.847{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.846{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.845{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.845{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007556503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.730{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.730{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66DE9E9303DEA1CD22C1E924D9F6A7F4,SHA256=BD493BF8B600355AE146A4B0AE56D7FD2A5EE8AC4B7C92F9C5E94C9D8A915FB8falsetrue 354300x80000000000000007556501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:10:57.117{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56904-false10.0.1.12-8000- 11241100x80000000000000007556500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09CC37D7413AB67501A51D9CDF47BD30,SHA256=815FEBD76D9C858F2D806B5E0E60CF470563D6CB4923385E25C42E648B66781Efalsetrue 11241100x80000000000000007556498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:16.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81A42282FACFE4183FE4F91C285CA5,SHA256=5BA1F26EC2FE156F340BDCB5727FEED2C5172833237CD210364866235B01EBC3falsetrue 23542300x80000000000000002132086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:17.966{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A736FD4DDF1A7495FE9BD46959E6C87,SHA256=AD6DC88357B49097569FFD9FB589E87CA7110465A1254B72CF0C4857D5176D63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.765{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.765{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FB8BF07D0E1793AEAE7DD4399DB7FAC,SHA256=5353FF400CA98C46C08A796C16D7BE3676AC3EB371EE8439D38F0D750F4DC17Ffalsetrue 11241100x80000000000000007556547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D3AA0DB9759AB35D20F04C18ECF4CFC,SHA256=6E769EEDF293814AF3CBBCD49FB25E03E692078991C04B5EA787E53EB8692061falsetrue 11241100x80000000000000007556545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84BB7F07A768C50FF443192162AC47D8,SHA256=01DD834E949118EC39BC499C89B6CE66232434738894E176897E92328337C81Afalsetrue 11241100x80000000000000007556543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:17.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA82C753BBE519891F76FAB81AF094A,SHA256=0E185808E05C352A204A75D870769E7DA6A532D8DF3FF8B4626BC9513117540Bfalsetrue 23542300x80000000000000002132087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:18.968{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A664D9487199294E694B1623DA7CC97,SHA256=4C9A0F12C420C8B609E14AB1430A2129822BCB2EF3D85DAB97EB79FC8314569E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007556557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:18.826{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0035) 13241300x80000000000000007556556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:18.826{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0034) 13241300x80000000000000007556555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:18.826{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0033) 13241300x80000000000000007556554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:18.826{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0032) 11241100x80000000000000007556553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:18.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:18.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=339607C4D05A80374CBCFC871146BAD8,SHA256=4299AD2EE9078676B059CB2619849ABC987C7B2C5A07D47FF54B59B9DBC34B3Dfalsetrue 11241100x80000000000000007556551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:18.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:18.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B319D07267FB0716AD1062BDD1D207,SHA256=D09A984A8418BCD4375358D9585D4C506935719E58D54E57200326C32DA0C28Bfalsetrue 23542300x80000000000000002132104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.984{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE76F178D875A534DB44B6F10762C77,SHA256=21672E9D9936FF6D7BB12EE060A6150C6BBFAAE27E5716917790CD4DDDDA83BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:19.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:19.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F332F3BA6ADBA7925BE61E04D979AE30,SHA256=7DB7C99FC544210CEE6AF653BECEAF4870C46FED5B201CFDD7A2EBEBC1C8072Efalsetrue 11241100x80000000000000007556559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:19.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:19.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0805824540BC898AC4ACE2B0ED481E,SHA256=A50F07164F7964EA4517320F2279CBBA10864BEEF4D65CF13119DDBC11A97E65falsetrue 354300x80000000000000002132103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:10.916{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62392-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000002132102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91B7-613B-AD1B-01000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-91B7-613B-AD1B-01000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.199{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91B7-613B-AD1B-01000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.184{AEE49BD1-91B7-613B-AD1B-01000000F101}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E90B2043F81EC1B45666FEA7ED8AB7D,SHA256=48C7BD69E5D25E863D77EF642D3B8CEC85B625CEEDDFCB7BCD540FFCA3950CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:19.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47BA1CC98AC9BD3562E66E354C4098E0,SHA256=974964589C003765C1AD322826ABDB6179AB0AD1FA24366515A5A966C2B0B8AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE1BCF23963A9E2F7B8EFBBF752077D,SHA256=18445E53907A6CC8B7CCEBCA20D476CCD92C2B4146E2B6CE168AD471E0F0725Cfalsetrue 13241300x80000000000000007556574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:20.577{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d7a666-0xe00140c4) 12241200x80000000000000007556573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:20.577{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007556572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:20.577{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007556571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.577{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 11241100x80000000000000007556570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.577{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\jumpListCache\U_E3ZY6+st6t20VA6zb_Ag==.ico2021-09-10 17:11:20.577 10341000x80000000000000007556569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.577{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007556568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.577{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2469ee8d.TMPMD5=A10BC59F0D012D0FE9B34A256C729B8B,SHA256=3153EA8C817AD68907FC95C64BE69968A4BA21D09B2477BB3BF6AFF14382CEE6falsetrue 11241100x80000000000000007556567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.561{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2469ee8d.TMP2021-09-10 17:11:20.561 254200x80000000000000007556566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.561{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WDP1BWX8JEQFJ156BUPC.temp2021-09-03 20:46:01.0612021-09-10 17:11:20.561 11241100x80000000000000007556565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.561{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WDP1BWX8JEQFJ156BUPC.temp2021-09-10 17:11:20.561 10341000x80000000000000007556564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.561{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c28e2b|C:\Program Files\Mozilla Firefox\xul.dll+c21c12|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c08a13|C:\Program Files\Mozilla Firefox\xul.dll+c07c05|C:\Program Files\Mozilla Firefox\xul.dll+c0e52b 11241100x80000000000000007556563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A3260CF523F0C123155196A9611BFB,SHA256=ED3C054C963B43F66CEA4128803C002106DAFF9109347BCB0857EEB884E56DF9falsetrue 23542300x80000000000000002132105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:20.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E90B2043F81EC1B45666FEA7ED8AB7D,SHA256=48C7BD69E5D25E863D77EF642D3B8CEC85B625CEEDDFCB7BCD540FFCA3950CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:21.032{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896A6DE068CD53513BEA09584CBE315E,SHA256=EFDDEFC0FE94785CFDE14E815445230D2B7871D8F814DF5D56385CC5DD0DC61B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07B3041976707FD80D2E0790C480BEC4,SHA256=EFFA1ED966313E663D801519A0B810C1D587714CB4BDDBB01F0DC42A35C98F59falsetrue 11241100x80000000000000007556580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D4E94F53CD71AD0B34EF5093F15D67,SHA256=6D117B88A8E143531D6314AC03F56933100197FED5286D2290E77470D77D67C3falsetrue 11241100x80000000000000007556578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:21.276{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A89CA5F8D2804AB5D16103A60AFC764,SHA256=103CD97E99FDB7F9174AC0C6B55C9E920B5CA7DE38F5F79C78544C0E21228D6Cfalsetrue 354300x80000000000000007556589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:03.044{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56914-false10.0.1.12-8000- 11241100x80000000000000007556588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F5F740EDD84AC79872B7EB7F987A14,SHA256=F4E5DD61F46A00F025816C428A95842EEB2BABB3F9FDFFF3F8B2146A967D4EAFfalsetrue 23542300x80000000000000002132107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:22.051{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5E39BBB618F7C7DFDFDE59954FB955,SHA256=663A73B9BD15449F0B74F842DC4CC6CF56FAA718B4FA1A7806C3859477D9F9C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E85648E1C007CFA85A5746161E93AA0A,SHA256=41179603317E956039E5F2C7207DC13056384084F32452C8D01B3C5D99EF3ADCfalsetrue 11241100x80000000000000007556584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:22.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F0406BCC77632750125505E57E4DAA8,SHA256=A4B49A26BF17AFCDDED431E2867388A23052EF8FBB1AF848BA767A228C0515C7falsetrue 11241100x80000000000000007556591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:23.437{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:23.437{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC6B8FAC4AA5E5627BF9B2E9F710117,SHA256=C57BE5EEDAE789511C653E4E45CFC156A456E44C6401895CB63027C2792C31CDfalsetrue 23542300x80000000000000002132108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:23.053{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB63CEDAA1A662B8D153ED50672AD93,SHA256=AF999061EA5FFB2A020FAE385131899B4A2FEED98981222A909396DB25F82981,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:24.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:24.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7E2103A5A067DBA2C6DFF6DB1DFACA,SHA256=351017EEC7FB679A44588A720F13E235D0AF30BBDE95CB7FF1EE24A546C4ED19falsetrue 23542300x80000000000000002132109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:24.057{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B63AF2FD4A6CDCEDCC515C413F06015,SHA256=4284B3B9D75B024A14FAEEF2CC95CED04817015E2320D9F9E7E8B559361CED53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:24.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:24.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24386516EF9E4A4786987A8E301FC008,SHA256=9159A5FC4EA31DE5DC81EF428BB46CE8288D6F9E0A8052517BA564B5948BBE67falsetrue 11241100x80000000000000007556597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:25.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:25.484{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68543509B3054B79880EB5B76D60D036,SHA256=1D45CFC3628C0EAD46951700BB859148565FA3EFC26A3313FB4B6DCB65393072falsetrue 354300x80000000000000002132114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:16.795{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62393-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002132113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:25.478{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txt2021-09-08 15:38:17.364 23542300x80000000000000002132112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:25.478{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txtMD5=C25E2AB9B0B4D2D4F356003499E4767D,SHA256=F486079EEC9C931112702C5205D9D0D0779B8C0F2AF8C218A97C96B9C9E776DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:25.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA207888EFB7569B6E28D0AFB67D7E,SHA256=C4AF312500F26B6EED01A8C53B94C8FE5163E916D7CF8BAEE602166F3DE25825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:25.025{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB752D229F01CBB7F50657EDE2F15FDD,SHA256=20F4D415B2394856DEEB9575C797E1601DC10215B17B47D7DF6B052EF3BC57C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1FA7234987AAD178C530274441DF12,SHA256=03711F458B0152B8268072F9C9C414D9EB7E4F573656F06D61C053C86C8C5358falsetrue 23542300x80000000000000002132115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:26.079{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF89364C7C0F24E89AFE95D959E97483,SHA256=1155BF4935B85413EFD5B940642D2254360078D7ADF761FC32387F5C5FE92E65,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007556620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:26.236{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007556619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PointsBinary Data 13241300x80000000000000007556618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007556617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\TypeDWORD (0x00000000) 12241200x80000000000000007556616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007556615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xe360d09a) 12241200x80000000000000007556614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007556613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:26.236{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007556612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007556611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007556610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000007556609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}56761364C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x80000000000000007556608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF246a04b4.TMPMD5=D29B6718CAAD2A1F833C60744CF33C45,SHA256=7C1763C6913063BEC73DD15F1B449ABA76169BA63CDA6A5D8CEA634C5D35A696falsetrue 11241100x80000000000000007556607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF246a04b4.TMP2021-09-10 17:11:26.236 254200x80000000000000007556606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TSIX316TSBVTSEXVJ6L8.temp2021-09-08 15:20:54.5192021-09-10 17:11:26.236 11241100x80000000000000007556605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.236{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TSIX316TSBVTSEXVJ6L8.temp2021-09-10 17:11:26.236 13241300x80000000000000007556604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.215{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.199{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 11241100x80000000000000007556602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFF2F6FD9AE1DFF4E09399278469B657,SHA256=C6BB342DFD90802697D1A12E99A73F1374850CB8356FDC1E4AAF8F05025171A7falsetrue 13241300x80000000000000007556600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.183{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.168{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 13241300x80000000000000007556598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:26.152{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 11241100x80000000000000007556630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.531{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156C8CEF4C1729B6F5B53324C696EB61,SHA256=38A3F6EC46560F886372213A296E16F9E86B3C41AC5BB7DA17870A425EAB6D81falsetrue 23542300x80000000000000002132116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:27.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A9A38B079535275064D0178EE54BCD,SHA256=704122C457569456F3F65586BE462166CAEBB4428E82C36E91C75058C5EF1776,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.182{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29EE520A494C2F5EF4C8634EF6B54D75,SHA256=42AACAC95438EED84CA7D971AA3C388DD6D5DB3DE8261B68B411F8C1CE051468falsetrue 11241100x80000000000000007556626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E31CB349AE9941E3090B1F4A10589CC5,SHA256=1388C82F21D7BD9090FCDB6A0588C071BBF7E3961EF0398409E68FC5E603EF8Afalsetrue 11241100x80000000000000007556624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:27.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D4DAE66C7F18364557482B99DBA3E8,SHA256=D1B71F5BB5FC8381AF03B386DE3524AFD98D530D051861CEFE36EACB2B81F9F1falsetrue 354300x80000000000000007556633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:08.997{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56916-false10.0.1.12-8000- 11241100x80000000000000007556632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:28.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:28.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B5B976F6ECDFDBDFF553C2342DD1C3,SHA256=EF719416BB40442D5A064489873C4F199D92393495160C0ABF041CE1A5AF618Afalsetrue 23542300x80000000000000002132127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:28.082{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B534EFA128035C47D291D719E2AD96,SHA256=C20B04AE8C1047A672A0D4C262BF2D72F12E21D2A0B51FEE79BA9363BE8288BA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002132126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002132125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x24621843) 13241300x80000000000000002132124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65e-0x81e94bd4) 13241300x80000000000000002132123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0xe3adb3d4) 13241300x80000000000000002132122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66f-0x45721bd4) 13241300x80000000000000002132121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002132120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x24621843) 13241300x80000000000000002132119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65e-0x81e94bd4) 13241300x80000000000000002132118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0xe3adb3d4) 13241300x80000000000000002132117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-10 17:11:28.029{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66f-0x45721bd4) 11241100x80000000000000007556637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:29.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:29.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FFC2564692CED519E57ECBE4AF0E02,SHA256=9A1A626FBBB1ACBFD94C3A57419F9DDE9D3D435DD6292F5A1D0FC28C0FDB61D0falsetrue 23542300x80000000000000002132128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:29.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518C26070CDAED5C80F9304F21E73FCB,SHA256=A8E52A32EDBAF866ECB278B92C8C5E6A0B25FE530318FDCA028F052365AFDB85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:29.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:29.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1A8EE168FF857E5631AE92AADBAEEE,SHA256=4DA7D14A36C29E2F2812B5A7ABB79048C618B57920D9126E5962841CC95F4AA7falsetrue 11241100x80000000000000007556639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:30.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:30.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5239D41442DF66CDFE271945735E36,SHA256=24C4ECDD76BCC5DB7A34F9CF052153878153966DC9BF98A7BA0D003F45B58AECfalsetrue 354300x80000000000000002132132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:21.952{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62394-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:30.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096D39940AE162E97B28B31724F13FCF,SHA256=9DEEFBDD9003BF3AB5A227781D955295902CAD42096B15CAF00428A651692B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:30.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A307B0B33AC042F5DE94DD9A77B2BD8D,SHA256=E44A902EC92CF14CA571C82116462FD7CC3F2E7E5743FBE79B08D751DB601D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:30.085{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE47B9CED353F74B7FE1B829A07E7DAB,SHA256=8B54BA241272147851EBE43DEB4B74ACE60A78205A2B7BC9A509708C565AC973,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:31.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:31.605{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49AB269302AB22FF5DEDE4D020CA6C1,SHA256=CB7165B444066B07A4781428A0894C7A4FD0018214A49B17C5620C3657FB1A11falsetrue 23542300x80000000000000002132134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:31.149{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=392BDBE9D38CC39AA8D200297D646C5B,SHA256=95F6C2681B9FAEC7AC8279FA94664F4D266D8A015A02A659881511D959ED7516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:31.087{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C504D5A5612D81C51246F11CAD9886F,SHA256=28DE18AAE873A9B637A27DF91C30625A5AD1C0DA1DD201F57EF6A04A476B6E8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:31.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:31.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6BC80FE4018CE1145B7C354C78C05D2C,SHA256=B87E00E8784D4A2FB3E53EBF394F475EA118DAFEF15CEB03B03299985604C068falsetrue 11241100x80000000000000007556655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.672{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.672{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C603336E6FCD136100D0F13005BF3A2,SHA256=E11BB256059EC0AE60E7E849DC9E6E9D3A85E08A0C2704192C4103DDD0E408A9falsetrue 23542300x80000000000000002132135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:32.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F2F5A143CE3A516B11FB793183B656,SHA256=C9A92BDBAE002AE57A1AE92B7BD689606476040BAFFB1AF03D04EC8C550DB5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007556653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:14.088{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56917-false10.0.1.12-8000- 11241100x80000000000000007556652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77F72E422B818BCFF7CC1A50D8DC83DF,SHA256=3D2568E62F05865187C6C159A7FBE01AB3053AA9C33EC0D0C522043464C0FEEEfalsetrue 11241100x80000000000000007556650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5476D4BB3F4CA0669A8134336AB2FDEE,SHA256=CE12605CD5EAFE2DFBFA0FE075254CF1A042F151E009112E99C18AAF8E1154E8falsetrue 11241100x80000000000000007556648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DC00F4627426FC5FA69EE42933AE2A1,SHA256=6E347CB287808FBB0FCCBD4EBDC0B74C01CC09148212EB90F3F42DD325676DBFfalsetrue 23542300x80000000000000007556646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.160{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9928MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007556645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.159{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99282021-09-10 17:11:32.159 11241100x80000000000000007556644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:32.158{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99292021-09-10 17:11:32.158 11241100x80000000000000007556658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:33.689{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:33.689{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B6DD72EE208FC0BFDB7A630686311D,SHA256=7FE68C52860232E6C5D851D843F1ACC2B3B61A8E1ECAA7FD789DFF06D2AD3179falsetrue 23542300x80000000000000002132136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:33.121{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1C0D4813E2D9B9B38FDE09F7E45F9C,SHA256=BFD6B1699F44B0550FC7C4F0E7E9DA400D610185D676E5F26EFC86245A3142FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007556656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:33.177{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9929MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007556660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:34.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:34.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5810A6E0D58951FC6BD099A5EE039009,SHA256=6FB92E646685BE8382229C4D691C2122E6B6B256D8AA5FC4FB031858DA7017E1falsetrue 23542300x80000000000000002132137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:34.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CE98F129ABE2359A0A373ADA7FA6FB,SHA256=A5E2424EEBD6B98D1F30F3294045822174C189F8A4E669539AB01E3AC6231C23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:35.717{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:35.717{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B5748C77A9FEF69A0D0D20C75FA634,SHA256=94F5DD89D02E07B2F52EF473ABA7BE96A43D5D1F6256DFED6E25991BEDDEB85Dfalsetrue 23542300x80000000000000002132138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:35.156{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37CBA7699BD63B771C6FCB2D3EBE831,SHA256=0B470A8B15AC676296D5C9BD307342C1E483180E52FBBBB1886ADFC6805B1422,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:36.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:36.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8699DAB9F85A860A7E1875333C1CAF0D,SHA256=518FF9164542D9CD14771E69F31BE88D455C5F190D011AA3CEB8BB1EB5BEF20Dfalsetrue 354300x80000000000000002132142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:27.913{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62395-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:36.359{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FCF174DEEE6FFE333FC1121462FC71,SHA256=FF2979B4243E95EEC53FD657DF2EFDE02D806EC55BD1754250CD44ED6B73E056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:36.359{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096D39940AE162E97B28B31724F13FCF,SHA256=9DEEFBDD9003BF3AB5A227781D955295902CAD42096B15CAF00428A651692B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:36.159{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A03500A97AA28248D3AD84C7FCD87E1,SHA256=4DCA8D9BCC075B47C1461164752C42AB100953707FD0648646372DA4F29CA7D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:36.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:36.383{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=371F5A832850C013341DE05952DC20FD,SHA256=863DCEBBFB6D879E30FDB2FF78B958377DFA5F0FD879771EB02686868C48086Afalsetrue 11241100x80000000000000007556672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40C4B4D5DFF81C3E2A46B98B8A9415A,SHA256=F569C1D19E6D492CE7BE7F813C5350F39130CCAEB7ECED4F43F2B1B93CEC6111falsetrue 23542300x80000000000000002132144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:37.530{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=97B3507531E5D655F7C26C6E0276141E,SHA256=98E1194E5AC90B7863AFF1720CC225F6DECEB0B1FEEAE8C7C12C54A5710E8506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:37.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91548E0226FA78CC68EBBAD5C854B1D,SHA256=BD2B853D4FF2F03141B94C5F5DFF49A70FA84537C828F55AA53B18E4D3ACA390,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.219{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.219{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3308D1B6EE69AB317AFA7A807B0A21E7,SHA256=4A4F2BD56F909DE53A6F1248689C7B2D844DED7910F98920CC1FBE01DBC2E24Ffalsetrue 11241100x80000000000000007556668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2DFC805395981CEA6A145101418303CB,SHA256=F44E1B186E0A2F1AE7B1B42775F944374F3D0678A3E9D0AF17B3D6709A70466Afalsetrue 354300x80000000000000007556679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:20.063{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56918-false10.0.1.12-8000- 11241100x80000000000000007556678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257DE7F1C58E79E7B3C0BDA7B8364B0,SHA256=DB4E3D5E3843A69EF020713D5F0D4125675E70B468DCC86A08791DFF1A521F7Dfalsetrue 23542300x80000000000000002132145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:38.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7BBC2A9388E8C3E05F232070121893,SHA256=4D73A439842C357E3CDC55AA59F0A5889D90D1F8139F5D88D5721161E86712B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE29E8BC32E0BBA78777BBD0CDF7965,SHA256=47F4ABC650A009C9D507C14A382CF1D8AA921AF1931BA00F20CAD01DADB02CF3falsetrue 11241100x80000000000000007556674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:38.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A34F5B271C93709FD613BC6481804A9B,SHA256=F86A76DF918BEF143379747D1247DCBDA836BF9C97C8C0B5FEDB494821ACD785falsetrue 11241100x80000000000000007556682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:39.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:39.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9994381B1DAF96054E55D167C741A99,SHA256=B7EFD8CE54B81C4916A8B2C11440BA41AA4E7D5ECBE26C04A11E0399087418ADfalsetrue 23542300x80000000000000002132146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:39.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE6F2375D25DAD5ED00FCF302150DCC,SHA256=F9990E8448C940C85C19A99A31D9897A5D6F01F4873277971F958EB5B9072D7A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007556680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:39.194{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Responsiveness\WordBinary Data 11241100x80000000000000007556684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:40.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:40.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D745313E574F55E42A2BF8C6F792BF1F,SHA256=300E7DC529F4FE71A0AA4B79210D359DC2CAC4FCF7BD7044F8C428C16DF5A1EEfalsetrue 23542300x80000000000000002132147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:40.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A649FB6EF0CA246347D418F65CF16F,SHA256=AD52A1E6AAB643828DB814EB670FC8121C5BA3C427ECA89E7F8B287E3C9D9D3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:41.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:41.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D10EB2C4C438BCD44373EDB3BA299FF,SHA256=EEA037D0D8665D2E3116ED870FCCBB6F7D0C73803B4246C2B70CFF61EE9314DBfalsetrue 23542300x80000000000000002132148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:41.206{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BFFF9A5B0A0980438D169C600A754A,SHA256=B27520622911A95BED9DD71DDDBC4BD31DD700F5DD290871ABC1D0DE8E92B0BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:41.328{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:41.328{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=676171845581DE508B7C786748651642,SHA256=42F338EE8E1B2E45A6EA37D56ECE025381A4F145BBFB021FA9B984D60A257A8Bfalsetrue 11241100x80000000000000007556696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB96DB456925E9C7AE75BEF56ACFBAEB,SHA256=25F0066A7065C1796E70D7397CD37784DAA146497245B6A681639CEE40099B8Cfalsetrue 23542300x80000000000000002132151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:42.206{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE61B7BBB4F48D0066F9CAD51FA87EC,SHA256=9AAF946D83C8ACCCAF48EE5B30E11184C2BAD5011C803E7453081B0D1C9076DC,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007556694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:42.888{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007556693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:42.888{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007556692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.289{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BCA5E1C4F6B7AE9BA26AF913531D03C,SHA256=11F86AB0E6D097477075F07409BA17A8ADB4D0C424A9737362BD1FA5B49B3109falsetrue 11241100x80000000000000007556690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.273{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7ACF6CF56A224A0901E9F7421B403AE4,SHA256=D2A7EAAB45D271504B48CA2AEF939DA08E9953D6BE1BC9AF1D24D76E881E176Bfalsetrue 23542300x80000000000000002132150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:42.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C284B161FAAA3C38E11991857C38BCB0,SHA256=530C479C1C97D8B34A2F3245177651F8F94B1BB4256194AB607087E768432353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:42.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FCF174DEEE6FFE333FC1121462FC71,SHA256=FF2979B4243E95EEC53FD657DF2EFDE02D806EC55BD1754250CD44ED6B73E056,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44F51828459C6096CB4E0DA66C413B1,SHA256=DEBAEF2A6C3E2A93965EEA632240BC351D87660BF7941D7CBE36A51C409805BAfalsetrue 23542300x80000000000000002132153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:43.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271CDF89B8C46106D094DFDABA44D2F8,SHA256=B312C2BAC23EB4A8E92364B6FE09D5E5810B9A8EF88635F56B28FD8E049EBA68,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007556700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.908{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.908{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4E60F7D64CC5F633A62DED3614D37E8,SHA256=A75374CFC996F8FABCFC1B361411B19E365A8D8DC819D35480FD2F3044E07994falsetrue 11241100x80000000000000007556698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:43.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE29E8BC32E0BBA78777BBD0CDF7965,SHA256=47F4ABC650A009C9D507C14A382CF1D8AA921AF1931BA00F20CAD01DADB02CF3falsetrue 354300x80000000000000002132152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:33.874{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62396-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:44.208{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075DCED1F998C4AB220DB565D3826079,SHA256=E51094C3B82DFC292F82F7C7BB2463AA1082DA7BAC1BAB478A76153E3741C788,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007556814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.869{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.869{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007556812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.869{4DF467A6-91D0-613B-8F22-01000000F001}49243164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.869{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007556810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.869{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007556809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.753{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007556808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.753{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007556807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.753{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007556806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.753{4DF467A6-91D0-613B-8F22-01000000F001}4924\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.753{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007556804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007556801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007556800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007556799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007556798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007556797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007556794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007556791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007556788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007556787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007556786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007556785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007556784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007556782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007556781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007556780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007556778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007556775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007556774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007556773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007556772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007556769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007556768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007556767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.738{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.723{4DF467A6-91D0-613B-8F22-01000000F001}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007556764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.722{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000007556758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.186{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007556757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.186{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007556756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.186{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007556755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.186{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007556754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007556753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007556752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007556751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007556750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007556749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007556748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007556746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007556745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007556744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007556743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007556742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007556739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007556737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007556734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007556733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007556731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007556730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007556729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007556728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007556726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007556725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007556724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007556722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007556719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007556718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007556717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007556716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.055{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007556713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.039{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007556712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.039{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007556711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.039{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.039{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:44.024{4DF467A6-91D0-613B-8E22-01000000F001}7932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007556708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:44.023{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002132155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:45.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92675D05970B49BC218905022D3A5E1,SHA256=D4415E81AE94A7544C8491E9E47FD50A64997B5687F60F021919AEC03BF672F2,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007556878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.552{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.552{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007556876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.552{4DF467A6-91D1-613B-9022-01000000F001}51162032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.552{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007556874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.552{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007556873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007556872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007556871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007556870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007556868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007556867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007556865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007556864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007556863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007556862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007556861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007556858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007556855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007556853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007556851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007556850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007556849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007556848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007556846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007556845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007556844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007556842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007556840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007556838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007556837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007556836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.421{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007556833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.405{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007556832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.405{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007556831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.405{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.405{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.404{4DF467A6-91D1-613B-9022-01000000F001}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007556828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:45.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007556822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FA99EDC4E906D4463C2FE0FC58AD13,SHA256=FE21CDDB30A3AD98E52CA4140EBA797B43B400F7CD7F131BD66BD0E33C9337DCfalsetrue 11241100x80000000000000007556820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9353B0EF5820956AD47E9A30FE5811C,SHA256=C11BA1B3012CBA705DEA60FA2A8BE85E59C3870CB3E7DCD95F256CBCC4BEE807falsetrue 11241100x80000000000000007556818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:45.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4E60F7D64CC5F633A62DED3614D37E8,SHA256=A75374CFC996F8FABCFC1B361411B19E365A8D8DC819D35480FD2F3044E07994falsetrue 354300x80000000000000007556816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:25.754{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56919-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007556815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:25.754{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56919-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000002132156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:46.211{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC92D71629956F892A1FD93E8389562,SHA256=A5A6CF9DD3EA8372C89FF3F122F9814141ECB68708C05FB041BB1EB7BAB3164E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007557000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.934{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007556999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.934{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007556998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.934{4DF467A6-91D2-613B-9222-01000000F001}79686940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.934{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007556996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.934{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007556995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.819{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007556994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.819{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 734700x80000000000000007556993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007556992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007556991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007556990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007556989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007556988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007556987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007556985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007556984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007556983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007556982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007556981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007556978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007556976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007556975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007556972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007556970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.803{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007556969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007556968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007556967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007556965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007556964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007556963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.802{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007556960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007556958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007556957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007556956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.801{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007556955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.800{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.800{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.799{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007556952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.799{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007556951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.799{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007556950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.798{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.797{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.782{4DF467A6-91D2-613B-9222-01000000F001}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007556947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.781{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007556941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007556940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30513D0EC122D0CD9EB1F03970EB484,SHA256=FB21D493D169EBC8C0D9FA1113AE6ABBDDEA8DE97FE69BCB9666A6C65454367Bfalsetrue 11241100x80000000000000007556939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007556938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0833BEC760D2A5CB1DFCDA7999C74EB5,SHA256=41D814BA946916A015D972923E1AD138DBD1AE75C2B9A48D4418A350D1954C45falsetrue 11241100x80000000000000007556937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007556936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27904332F9089D4D642505B5AA8B192B,SHA256=4EF7ED4D090F2162864C1DD81B16DD53C4DDB6B9A924CE60C1FA5597A2B7CB3Ffalsetrue 534500x80000000000000007556935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.235{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007556934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.235{4DF467A6-91D2-613B-9122-01000000F001}49441604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.235{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007556932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.235{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007556931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007556930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007556929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007556928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007556927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007556926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007556925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007556924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007556923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007556922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007556921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007556920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007556919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007556918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007556917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007556916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007556915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007556914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007556913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007556912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007556911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007556910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007556909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007556908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007556907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007556906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007556905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007556904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007556903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007556902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007556901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007556900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.104{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007556899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.103{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007556898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.103{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007556897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.103{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007556896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.103{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007556895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.102{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007556894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.102{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007556893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.101{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007556892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.101{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007556891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.101{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007556890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.100{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007556889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.100{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007556888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.099{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007556887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.099{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007556886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:46.083{4DF467A6-91D2-613B-9122-01000000F001}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007556885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007556881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007556880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:46.082{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007556879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:26.007{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56920-false10.0.1.12-8000- 354300x80000000000000002132160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:38.930{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62397-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:47.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D270A2CB69599DAACECE0D1405F9DA,SHA256=FE48B4439032953354D858B4F701F6B97B51F6E4CD5359F721317AC7EA336B67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.964{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A601FD8A4D632713DFDC222E0976D75,SHA256=19499A12CDB65237FFE230FAA34385713075BEDD78534EF4BE757755BEB83FC6falsetrue 734700x80000000000000007557123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007557119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.948{4DF467A6-91D3-613B-9422-01000000F001}7372\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007557117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007557107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007557089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007557085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007557080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.932{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.918{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.917{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007557071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C8A9F5B084A9F2CE90D6E7BFC531A9,SHA256=614AC8E66579C2B7B845A2156D2035155175750BA7B4B40AD3CC7FCE2C30C4DCfalsetrue 534500x80000000000000007557069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.465{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007557068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.465{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007557067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.465{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.465{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000007557065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.418{4DF467A6-915E-613B-8222-01000000F001}56766140C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007557060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007557058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.349{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007557053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007557032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007557028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007557027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007557026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007557025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007557022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007557017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.333{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.319{4DF467A6-91D3-613B-9322-01000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:11:47.318{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007557008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.302{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D8F7539EC53928574DA6CBF651073B7,SHA256=DBFDA9F0D0934E67C3B2DFB8E6215D6FD78D2B8F36664A330BBEB47F517EB5B7falsetrue 11241100x80000000000000007557006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B4EAFD195DB2A133A11EEB01BD0F26D,SHA256=414E20E4DCE2AB983ACE1D5BD014E5FD3C0C42807D77298CEA7A77385A7F8A86falsetrue 11241100x80000000000000007557004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF77DA441FCD3CD6D80FD364151D768,SHA256=A71F7081B6FDC6A12822B09D32E63F3ED72150CB48FE6BEC13610E2AD4B8ED85falsetrue 23542300x80000000000000002132158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:47.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30585A6D8109D7AFECDFFC233AE0788,SHA256=0FD0DDDC83FD31F7088893AE13CC357D12454D0C9ED3B99F57E1F185B84D60EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:47.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C284B161FAAA3C38E11991857C38BCB0,SHA256=530C479C1C97D8B34A2F3245177651F8F94B1BB4256194AB607087E768432353,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:47.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63C876464F06AE0F3065C079E39EB01,SHA256=BE352AEA42516D22C815FA736D4D67A35764BC804B7D004901A7E57F5A28E494falsetrue 11241100x80000000000000007557134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.931{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.931{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40CFA102C16C46C13798494ECEC2FFD6,SHA256=E9DCF3BB85EC53EBCD1F6797E924A5F0C675D36C09CF58EFE38A2D66EF0C6D5Dfalsetrue 11241100x80000000000000007557132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ED8E9F59D152CFDF4B0F4789FC99D1,SHA256=8F00687A62E14CCAA6644A7FA7C97299C5F5B969591750DAED88B329EF033B1Bfalsetrue 10341000x80000000000000007557130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.200{4DF467A6-915E-613B-8222-01000000F001}56766140C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:48.244{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54231F95D09C89398C027600D7F01E5,SHA256=A2834A496FE0E9EBA46581D05C738A11DB37DB5F6E5BD5F63D057243923B5A48,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007557129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.079{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007557128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.079{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007557127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.079{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.064{4DF467A6-91D3-613B-9422-01000000F001}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007557137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:49.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:49.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9979FF6D237A0A240BD1587F7D60FF17,SHA256=8B27D358C5A448A99C0F0134D176BA974F09E6CA0CD1F9F30889B1EA9B46AAFDfalsetrue 23542300x80000000000000002132162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:49.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4CD0A22CAFAD7B551B62D218E010F4,SHA256=85690DFC256AA881BB1939AB375EA00B48FB1703B84522A051BC00F70B074FA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:29.666{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56921-false10.0.1.12-8089- 11241100x80000000000000007557140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:50.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:50.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C8AE25D65CA4B9A4D20718F1BD3237,SHA256=4B9FAE9E47AAA933396A5B6F003341588048D5A4DA0A09AD5C09D8156308275Dfalsetrue 23542300x80000000000000002132163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:50.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B2537B688D3DF8C3AFDF7AAB094BCB,SHA256=4BEF3A957C53B2E0AB2B218593A9AB0155772742F6FF4BE08DFDA966836DB742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:31.124{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56922-false10.0.1.12-8000- 11241100x80000000000000007557145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:51.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:51.611{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA5F333EBF64CA5CCD5C744C3CD24AEC,SHA256=583056AA39EBE77BD9FFFC4F8D6198806FFC3026D52A4D28BDFFE8D0480DDA7Bfalsetrue 11241100x80000000000000007557143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:51.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:51.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EF9F69B89863F74D12B5F9540F11D1,SHA256=782FA06A7DBFE591D3A3A6756DE904F7258DCA81BAF3C6E83F2FB0681ABBE596falsetrue 23542300x80000000000000002132164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:51.267{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A37CB02DC40B3FE3CB0F1A77C68763,SHA256=0484A38D98AB74094AAE963C0D06B50E029D558D2887D4476F9BC0B650A83211,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007557141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:51.090{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Toolbars\Settings\Microsoft WordBinary Data 23542300x80000000000000002132167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:52.438{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52498BA9A6D292DBDCDB2C9D3A9DCA20,SHA256=2E0CA1CD07470C183C18911AACC5109F27CB450805970E30EE419F57C1558A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:52.438{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30585A6D8109D7AFECDFFC233AE0788,SHA256=0FD0DDDC83FD31F7088893AE13CC357D12454D0C9ED3B99F57E1F185B84D60EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:52.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA4B72C948990B991062AE1EA5D2731,SHA256=BC0A265323067620AF8294685CC567984925A9482BFC3B653BA350393B2E4D1B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007557191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=978CD290F0BD6DF938589DBA574F9FAA,SHA256=795335DAF1F21AC0E4D6061260D35003BEEE519F2324A9B07BE93FFE40BAF001falsetrue 11241100x80000000000000007557190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007557189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A1459D17A42EE90520C42BCE223FF6F,SHA256=59D43790E9E8488D73B162FF4660AAC67BF5043093383AA4B3F95D51BFA11753falsetrue 11241100x80000000000000007557188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.709{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5593247B40ACFE43D698894DAAC15E47,SHA256=B618872A147C862652E8A09C4EA428A9CDE5A5F2312E4D07F0DB5159D982668Dfalsetrue 11241100x80000000000000007557186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D0D1B799950169D8D1517526D820555,SHA256=F61436B677F614535F0965A994C28BBC938B2C1C1CC1DF8C59ACDF89E90B6AB5falsetrue 10341000x80000000000000007557184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.640{4DF467A6-3EE5-613A-21FA-00000000F001}24287772C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007557183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.587{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A6\VirtualDesktopBinary Data 12241200x80000000000000007557182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.587{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A6 13241300x80000000000000007557181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.572{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A4\VirtualDesktopBinary Data 12241200x80000000000000007557180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.572{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A4 23542300x80000000000000007557179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.540{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FD5BDFA7.jpegMD5=98B5273E3C1D3B27777A1A17E51478A5,SHA256=3953378734D19ABC3AAC6F760C713A10300517C40DD605C7D7518995914205AAfalsetrue 12241200x80000000000000007557178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007557177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007557174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\PointsBinary Data 13241300x80000000000000007557173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007557172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{51AEBD2F-ABEB-4C4D-AD15-26A4A9F32BE5}\TypeDWORD (0x00000000) 12241200x80000000000000007557171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007557170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xf30c1d38) 12241200x80000000000000007557169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007557168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 23542300x80000000000000007557167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.525{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0FC4ABF7-4E28-4140-B663-1CA9EDE67A79}.tmpMD5=F966C4050B2A49D6F0F5625881E3B486,SHA256=18C65CAEE87851FE1A79369099C0F57F1679724FB25E5188AE27FC88427064ABfalsetrue 23542300x80000000000000007557166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.525{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$Letter before court 4.docxMD5=DC09A6490E44C6DD16DE7B0D8BF92C5D,SHA256=56C2D4FC70030E0903C048F65045B48DA82BF6DFF7BBED0F77C284BBDC9128C8falsetrue 10341000x80000000000000007557165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007557163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007557162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:52.525{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469DAB7 12241200x80000000000000007557161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:52.525{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469DAB7\2469DAB7 13241300x80000000000000007557160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.525{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007557159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.509{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007557158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007557155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FD5BDFA7.jpeg2021-09-10 17:11:52.509 13241300x80000000000000007557154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 2\Position1451192441 0 13241300x80000000000000007557153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 2\Datetime2021-09-10T17:11 13241300x80000000000000007557152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 2\File PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx 12241200x80000000000000007557151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:52.509{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 2 13241300x80000000000000007557150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.509{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:52.509{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007557148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.509{4DF467A6-3EE5-613A-21FA-00000000F001}24287772C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007557147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:52.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F088C7E3CC4345EE92C9259FACA0FCE,SHA256=87A6433CDAA02A940F425E2C551114CFE8EDDABE5A65EDE275846CDB113D74F1falsetrue 23542300x80000000000000002132169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:53.308{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E99072F65A16CF605A23D5F2FE43B3,SHA256=D8CE34BA57FFF8724586495BF979F1EE9C68483281D8F9566C4885B641CDDA84,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007557199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:53.539{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:53.539{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:53.523{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:53.523{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:53.523{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007557194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:53.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:53.408{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91AACAB1426AB4F69021FBC9CF77D0B,SHA256=E9E7EEA356310CF1D283B1ABC5A384D071650221638FF575B189DA68B7F0F565falsetrue 354300x80000000000000002132168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:43.985{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62398-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000007557263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.952{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C01A0\VirtualDesktopBinary Data 12241200x80000000000000007557262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.952{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C01A0 13241300x80000000000000007557261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.921{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007557260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.921{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007557259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.905{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007557258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.905{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007557257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.905{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007557256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.905{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007557255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.905{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007557254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 13241300x80000000000000007557253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 12241200x80000000000000007557251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C02A6 12241200x80000000000000007557250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14 12241200x80000000000000007557249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6 23542300x80000000000000007557248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnkMD5=408268658F54F9AEA4D56EAA4CFD2DB9,SHA256=25890CCB5F8D4BC144C0C325156AFBD59143397D20C8D595302DD310B9677981falsetrue 12241200x80000000000000007557247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007557246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007557245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007557244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007557242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\2Binary Data 13241300x80000000000000007557241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\15Binary Data 11241100x80000000000000007557240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\PRD.docx.lnk2021-09-10 17:10:55.218 12241200x80000000000000007557239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\15 12241200x80000000000000007557238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\2 23542300x80000000000000007557237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\PRD.docx.lnkMD5=ED741FECCDC897AFDB87C6C6BA1982AA,SHA256=64BB5EFDDBB667C4EB4D518AB6D0B5F96679B5A8503C39D8CABA9C6B720D9102falsetrue 12241200x80000000000000007557236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007557235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007557234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007557232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007557231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007557230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007557229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007557227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\PointsBinary Data 13241300x80000000000000007557226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007557225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{A5106BB6-452B-4DD8-AF93-3D1FCDC6DBC7}\TypeDWORD (0x00000000) 12241200x80000000000000007557224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007557223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xf474f1fd) 12241200x80000000000000007557221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007557220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007557219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 23542300x80000000000000007557217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7D36ABB6-6C8D-40DF-8226-0CCEED70F740}.tmpMD5=FF137C0341782984327DA2A1B68FDA62,SHA256=D4B4B9F88CF649ECAAF042D2D6F908622D70F164F3A19291F5C759F6261693DCfalsetrue 10341000x80000000000000007557216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007557214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.889{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007557213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.888{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 23542300x80000000000000007557212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.888{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$PRD.docxMD5=F30F2660678427A623692420FCA593E0,SHA256=97AB7D1501D1D673B242078058B1826BBCDF3CF8362C8C9751D6FAA8F6C24E5Efalsetrue 12241200x80000000000000007557211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.888{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007557210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.888{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.888{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.888{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007557207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:54.887{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469AD00 12241200x80000000000000007557206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:54.887{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2469AD00\2469AD00 13241300x80000000000000007557205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.884{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 3\Position1015125812 0 13241300x80000000000000007557204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.884{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 3\Datetime2021-09-10T17:11 13241300x80000000000000007557203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:54.884{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 3\File PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx 12241200x80000000000000007557202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:54.884{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 3 11241100x80000000000000007557201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.453{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.453{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5203997FDABD737B37786D0402A3DB,SHA256=4E8BA03D87D783EC8F675E4E8DDE5442AF69D3A8B301395119D16CF104B68482falsetrue 10341000x80000000000000002132213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.905{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.904{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.704{AEE49BD1-91DA-613B-AE1B-01000000F101}13881976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91DA-613B-AE1B-01000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-91DA-613B-AE1B-01000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.572{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91DA-613B-AE1B-01000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.557{AEE49BD1-91DA-613B-AE1B-01000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:54.341{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECA04F74B8B7782EB2DC8006BE16CB9,SHA256=1D44C1B7E235AA39C299EFE522D5CDE5B1BB9B7E3E8255093603A225F21164C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91DB-613B-B01B-01000000F101}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-91DB-613B-B01B-01000000F101}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.810{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91DB-613B-B01B-01000000F101}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.804{AEE49BD1-91DB-613B-B01B-01000000F101}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.788{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52498BA9A6D292DBDCDB2C9D3A9DCA20,SHA256=2E0CA1CD07470C183C18911AACC5109F27CB450805970E30EE419F57C1558A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.440{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D263B00704AE95BE821E58A58B6DDA3B,SHA256=3BC6F5E1267EEC1D1944D06B21698390D16E3BFBDA2F267E5A6A52D1C131B19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.440{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7B750083E856C947E80A900D8CDD91,SHA256=41C1FEEBFD99D0CC6B0011820F7E1F138BB8C2345AB5476DC1F456460D72B6DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.666{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.666{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E44E7C90976D738FA2F87EB9A38BC9B,SHA256=4D65BB8B42FE230038DA7A968AA62F429754764228C492C762144A7E058FF24Ffalsetrue 12241200x80000000000000007557272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:55.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:55.420{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:55.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:55.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:55.404{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 11241100x80000000000000007557267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D6DBA61628DD7EC6EAFB1D5FBD741F5,SHA256=C46D8830629F00FED4B48F19D88C619C08E9570348636BEC8BCE2D2E45BB04D8falsetrue 11241100x80000000000000007557265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:55.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893F0F830B94A3AC3FB57A05162FDB80,SHA256=ED327BCC328B54F914B28AA0C64202132A9388549E28964B3C597B7072E48109falsetrue 10341000x80000000000000002132226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91DB-613B-AF1B-01000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-91DB-613B-AF1B-01000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.272{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91DB-613B-AF1B-01000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:55.257{AEE49BD1-91DB-613B-AF1B-01000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007557279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=010F380B7EF17157390F7736890BFCE8,SHA256=C9CFA13C61C8D2D59A4173BD765B1086B3BCC899A3D70A5957BA18A57AB266CCfalsetrue 11241100x80000000000000007557277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:56.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2994DC1AF9AAE17D5B7BBCA01F60460F,SHA256=7C32D298F9D421A411741068448F2888ABB01E0A933212CF7DBBE00AC2382C4Efalsetrue 23542300x80000000000000002132244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:56.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF0D24824EF456643C5AE60ECF75350,SHA256=C431076AFC6E6775B1D817A2C5064BBC1308337A64968788F4EAC53F7C45E6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:56.673{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7DBA612464C332A1CF102957F7EA72,SHA256=6DF74FC1DA06F4F6AF288FADA5ABF157D6E3C1D7066F31B61ECD0F084F34D97F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:37.072{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56923-false10.0.1.12-8000- 23542300x80000000000000002132245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:57.675{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C810F95A94494F442CF5711EFCFF942,SHA256=9FFCD3C10C03EDDAE43FABE10D3FA178DA5F046402E98846167B28B413439502,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007557301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:57.932{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:57.932{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x80000000000000007557299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.817{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F83230D3D3662D17CBD7726564B8E5,SHA256=E372C92C3A83B72BC72266161F384DA3F5E94321DD14D79D60859AF174DFB50Efalsetrue 13241300x80000000000000007557297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000007557296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000007557295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007557294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007557293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000007557292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000007557291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000007557290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000007557289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000007557288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000007557287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000007557286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007557285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007557284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:57.601{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000007557283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.417{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65DF956BAAA2922DEF4A3EC9E12C4705,SHA256=E79B0AB7EA22BE3F57368DD6FCF4488B09E31B901D2EC5F9EA351DB7A2E55E99falsetrue 11241100x80000000000000007557281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:57.401{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C99BBB8DCD6104575599F877A0675FC,SHA256=8E53D41125C065D59ED66E533A8D535110A37CEE67B47EF081F0C345F7596276falsetrue 11241100x80000000000000007557434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173EB1FC329ADE7E29884E42D5325D1C,SHA256=69838BFBD92D041C8AD5DB8C9CB535CC219BE9B3E292E41D023C07D307146866falsetrue 23542300x80000000000000002132247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:58.675{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CE3C046AB7A7991E4EE50C149078BC,SHA256=AE1DA013B481FFC594FD4CD5B17AC74D86EC3E64E88C8D3C32E52D13D3687AEF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007557432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.800{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x80000000000000007557431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.800{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{FF75C199-346D-41CB-AEE3-E35C36830989}.tmpMD5=FCF6D0BAF8ABF0A8AAE5DB46108D4AC1,SHA256=F5A100C1B68FCBBD1C64DB397DDB1D06A24B8747CC69415E5FB0483C419DF811falsetrue 12241200x80000000000000007557430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:58.784{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676 12241200x80000000000000007557429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.784{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0 13241300x80000000000000007557428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.784{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\5676\0Binary Data 12241200x80000000000000007557427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.784{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\5676 23542300x80000000000000007557426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.783{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=D2069CECB4A391AE721A23864D926A06,SHA256=5866CA851686560C7107C4DCBE0EBC1817E6F773ED2A7DE5EF1F9673253B426Bfalsetrue 23542300x80000000000000007557425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.783{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=9762FB20AB24CD03943A6F17280122BB,SHA256=C824EB5359F3ECE03882B800312967A0EC8BFFBD632E9C694CAC9787CE89C45Dfalsetrue 12241200x80000000000000007557424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.715{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.715{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.700{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.700{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.700{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007557418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x246a837a) 12241200x80000000000000007557417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007557416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65e-0x94aa4302) 13241300x80000000000000007557415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0xf66eab02) 13241300x80000000000000007557414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66f-0x58331302) 13241300x80000000000000007557413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007557412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x246a837a) 12241200x80000000000000007557411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000007557410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a65e-0x94aa4302) 13241300x80000000000000007557409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a666-0xf66eab02) 13241300x80000000000000007557408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.678{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a66f-0x58331302) 11241100x80000000000000007557407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.531{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007557406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.531{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C7E7442F01DFE8E5FE20F82C67A06694,SHA256=1098BE8BDC634B510B261B2426154AD9A051CFC68AC53C60B92F56094D88746Dfalsetrue 11241100x80000000000000007557405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60758A729B3AFCABB315CB1CEB3A8286,SHA256=2DEFD8BA29C9E96F5F529019CA41D88B8A2C34722141DE2CEF3C9A06E6F710FAfalsetrue 23542300x80000000000000007557403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.363{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5=2373263A271EFCB847853D2005130CD8,SHA256=1695F052088066960C758300E1876F7E37C5A4DE7DA7452C39ABFF87FBC7D10Dfalsetrue 23542300x80000000000000007557402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.363{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9DD6FB55.datMD5=07FFEFF17A8A1A1209AB3C2690D569D4,SHA256=57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4falsetrue 254200x80000000000000007557401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.363{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631293791801278500_B9769A37-601C-44A5-9770-4AEB59C047C9.log2021-09-10 17:09:51.7992021-09-10 17:09:51.799 11241100x80000000000000007557400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-09-08 15:58:21.681 23542300x80000000000000007557399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=D17E9C118C3A46685D70D280C9D09E23,SHA256=D63DB843932BBC69AC92B9D3920536AB07E6BB0FDF21327C1ABC217C34703678falsetrue 13241300x80000000000000007557398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 11241100x80000000000000007557397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json2021-09-08 15:58:21.697 23542300x80000000000000007557396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=33018E594759256A809F5A15411E1CA2,SHA256=272AC606C01D0ECC249FBAD56BCE15F62E44D7A35AA6701292A9A2A285A6E883falsetrue 11241100x80000000000000007557395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json2021-09-08 15:58:21.681 23542300x80000000000000007557394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsetrue 23542300x80000000000000002132246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:58.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6681A8DDACA91935FF762B84A8FB5FF0,SHA256=164F93BF6542B88C6DD88662AD6364867ABAE6FF5963BE0E50A792AA544C23F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-09-08 15:58:21.681 23542300x80000000000000007557392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=D17E9C118C3A46685D70D280C9D09E23,SHA256=D63DB843932BBC69AC92B9D3920536AB07E6BB0FDF21327C1ABC217C34703678falsetrue 11241100x80000000000000007557391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json2021-09-08 15:58:21.681 23542300x80000000000000007557390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsetrue 11241100x80000000000000007557389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json2021-09-08 15:58:21.681 23542300x80000000000000007557388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31falsetrue 13241300x80000000000000007557387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 23542300x80000000000000007557386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F323C2D3-F276-41BE-AB9B-3EE50201D2A0}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 23542300x80000000000000007557385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.347{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F3DB09F8-8746-4FEF-A6AA-78558F8D8690}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 13241300x80000000000000007557384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.347{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B01C0\VirtualDesktopBinary Data 12241200x80000000000000007557383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.347{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B01C0 23542300x80000000000000007557382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{802746A9-F4BD-4814-B33C-100247AE0FB0}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 23542300x80000000000000007557381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B36ABA33-FEFA-4603-A11D-AD0A49C32D3E}.tmpMD5=9B5C39422D02591359E7428EAF2D8B9B,SHA256=3D8434D4B5943B166CF3623B719234ACDB591D3BED18700439DB1EE672E6CF06falsetrue 23542300x80000000000000007557380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{743EDD07-21C7-44D8-97CF-2B48F6A3A109}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 23542300x80000000000000007557379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EF422903-E6A5-4F39-BFCC-F750C0C8FBFE}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 23542300x80000000000000007557378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{02C1ECA5-4488-4835-BC08-08AC1A3D2A52}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsetrue 23542300x80000000000000007557377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{60DCF194-2F59-412A-94E5-DC96E79BB3E5}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 23542300x80000000000000007557376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=559F1E600F5AA95276A694A971FFA6D3,SHA256=DC88282E7CF66019433712EA59CC8B81499BBB7BB5DC95994284602831779DD5falsetrue 13241300x80000000000000007557375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 12241200x80000000000000007557374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:58.332{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B01C0 13241300x80000000000000007557373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.332{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 13241300x80000000000000007557372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.300{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007557371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.300{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007557370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.284{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.284{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007557368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.232{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5676\0Binary Data 13241300x80000000000000007557367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.232{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Data\SettingsBinary Data 13241300x80000000000000007557366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007557365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007557364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007557363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007557362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 12241200x80000000000000007557361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14 12241200x80000000000000007557360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6 23542300x80000000000000007557359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnkMD5=DC68F864424E14D9B9A50AB350789E01,SHA256=A7CB65982D26D6642B895E1602B25077F54A0D16ED214DE6612FBAD8A642633Dfalsetrue 12241200x80000000000000007557358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C01A0 12241200x80000000000000007557357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007557356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007557355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 12241200x80000000000000007557354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007557352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\1Binary Data 13241300x80000000000000007557351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\13Binary Data 11241100x80000000000000007557350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Project details (1).docx.lnk2021-09-10 17:09:50.422 12241200x80000000000000007557349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\13 12241200x80000000000000007557348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\1 23542300x80000000000000007557347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Project details (1).docx.lnkMD5=DE128CFE9EF594DB8AB17A4F834E49BB,SHA256=DD6CBEAC7F77C112A951B7D2BB42BDBB04D84701382C1D85A53682ACCAF48A1Cfalsetrue 12241200x80000000000000007557346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007557345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007557344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007557342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007557341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007557340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007557339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.185{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007557337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.184{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\PointsBinary Data 13241300x80000000000000007557336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.184{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007557335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.184{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{D56DBB2E-833A-4B90-98D5-F63A8C485F2D}\TypeDWORD (0x00000000) 12241200x80000000000000007557334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.184{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007557333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.183{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007557332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.182{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a666-0xf66b54b9) 12241200x80000000000000007557331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.182{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007557330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.182{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007557329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.182{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007557328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.181{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 23542300x80000000000000007557327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.179{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{384FFB93-52A7-4370-ACCB-1CC9CAAFDFE8}.tmpMD5=DACD1D7BD864DABFB92933DE997D2F72,SHA256=B646CC284EC2CB06F9CF6860A0B1FC8512D28F9AF32270F42190EFF25FFCBC96falsetrue 10341000x80000000000000007557326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007557325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5BF948AC-1859-472C-8A43-B8342A2E83B2}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsetrue 10341000x80000000000000007557324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-3EE5-613A-21FA-00000000F001}24288120C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007557323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.163{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007557322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.163{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 23542300x80000000000000007557321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$oject details (1).docxMD5=BE253B726A6A6F6E21CB54E9CC55FCB6,SHA256=721E8A98F8FA44D1D1B82C6F25A7119CF3A34A6899F87E2BA4D39E3AD6C70D09falsetrue 12241200x80000000000000007557320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.163{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007557319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}56764196C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007557316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery 12241200x80000000000000007557315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2468CDCC 12241200x80000000000000007557314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2468CDCC\2468CDCC 13241300x80000000000000007557313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 4\Position1395510298 0 13241300x80000000000000007557312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 4\Datetime2021-09-10T17:11 13241300x80000000000000007557311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 4\File PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 12241200x80000000000000007557310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.163{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Reading Locations\Document 4 13241300x80000000000000007557309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007557308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007557307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x80000000000000007557305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}24287772C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007557304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 10341000x80000000000000007557303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007557302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:58.048{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:59.678{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CAC430079FE5510E5EE3F80CCE295B,SHA256=767174D147596F507516891B3A1F53E17F87B940366BE923376E0890372144C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:59.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:59.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D6DBA61628DD7EC6EAFB1D5FBD741F5,SHA256=C46D8830629F00FED4B48F19D88C619C08E9570348636BEC8BCE2D2E45BB04D8falsetrue 354300x80000000000000002132248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:49.977{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62399-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:00.679{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2256C8FA854C011DE1D029F367C31F5D,SHA256=E41E17E57CAEB786AF01951F0A8AE541D680BBE6651CC980D750758D2824E793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:00.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:00.061{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CED3D1A997B019E7078418E056A9D3,SHA256=42653C658631D3F59DFF681C7CCD49EB01B9F275E2FB322C9C341E75FA7C4B65falsetrue 23542300x80000000000000002132251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:01.681{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4755248FC2494156512546004468FB5,SHA256=B20CEB2B7DCD5EE98386899459D55B119BC08C537BF688AC6D1A8244910E247C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.496{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1EC839DE9E5AA8F0A9A75562AC8E8D65,SHA256=E6845FDF3A40C3723F300A431A22D026AED50DCCED7CC11B12BA368199D57E4Afalsetrue 354300x80000000000000007557446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:42.911{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56925-false10.0.1.12-8000- 354300x80000000000000007557445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:41.367{4DF467A6-915E-613B-8222-01000000F001}5676C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56924-false52.182.143.211-443https 13241300x80000000000000007557444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:12:01.312{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007557443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:12:01.312{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x80000000000000007557442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.077{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5A1F1901A074E0929B7971E544E3B1,SHA256=66C5BAEDACB6028F48E5201C01B469B7FF64A11408E865D911673D1274D4E5E4falsetrue 11241100x80000000000000007557440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:01.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E1CE46832322E06AD2E1BC2DD8AFB71,SHA256=2B6C666FBC883E48899F3727DED7DF10812CC361894CAAA3A9A80DE9096D817Bfalsetrue 23542300x80000000000000002132252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:02.683{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EF87B0EF4AF14DC16BF3F1C0508368,SHA256=517734F9825FB454CF0AE1274D5A4D6CC338319288A17710B772DDFCA1F151EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B93F2FFFC5AB8D9ECBA69A36B14CE9D1,SHA256=32D928730E3B16C68F21BEA51D59C59E9A226404C36BD347A2808D87BBD3F24Afalsetrue 11241100x80000000000000007557452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4CD57E5CA6C9583AF6A3EEA5F7ED9B1C,SHA256=6D7B5F7B05D84C4A4ABF1F0B2D5EB3026671C59E2C1759A1D569CB2ED2DD0E46falsetrue 11241100x80000000000000007557450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:02.080{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A02C8717DCFE77A3B815BA235900A00,SHA256=E2DFC04AD17970651B74B389BD8D6E43DD3D6B40CCAA3ABDBF77E3E2178D1EB4falsetrue 23542300x80000000000000002132253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:03.685{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B8BD27F12F753714ABEECAC864B036,SHA256=0D77127AE911994E16C7B891EDEEB78C069404075E68827DA4CFAB7D346E6823,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=6AC20368C7BD40B520D65985F3B73DDA,SHA256=3B12E45E2CDFBA0817BFDAEC6955B86CB559730AF1FF4B0E828D2EB5DF5BFD58falsetrue 11241100x80000000000000007557466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=0CEDF334F9C9E68FE3E1A4C466AABD06,SHA256=2D9B914924A4A00D9FF04AAFF0268ED04B6B1DED059A72A0C9E86161BABC9E45falsetrue 11241100x80000000000000007557464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=B480E2FD83883D8D964EEC1B967DFF95,SHA256=B94850957E76C5261CE60EEDB50ECC5CB5AF2666E7AB6FA9AA200DFFFC83D649falsetrue 11241100x80000000000000007557462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=5547DA5B78C177533D9C599C504E9D86,SHA256=06DD1CBA2377BDD61E3700C69BEB300F39D196C44ED406B54F247A46BF5036FEfalsetrue 11241100x80000000000000007557460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=920A2B14A04740806C899F7ABF3F1065,SHA256=D00F74EAD1F01CDCE2FAC3C3870BEB52B75E8ACD5E3704568D1C7B56C7D6C216falsetrue 11241100x80000000000000007557458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.357{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=DE8CFC4CD371E54CBDA1CB5C013131CF,SHA256=8BCC7B44379A16E061977E48CE99D3528932D7FA02051DD69F90FA39010C6C41falsetrue 11241100x80000000000000007557456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:03.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AB58D5389880D85E2EEDC0F9335C56,SHA256=5261AF26C391E23A65B504BA218B556CC259641D56C1D92C1160554ECFAABB83falsetrue 23542300x80000000000000002132256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:04.687{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D418A03A83E4E20D60B835C428F6C9BA,SHA256=B3F38393E9F568E7942ED075BCA2D4A7B961A13877A4E9D35C88F6060D46D49C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:04.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:04.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF4F58568469C17C16BE9950E9867F32,SHA256=AA76ECA27585F0987B863BA2C4F9F6CEB17165C7DE4F6366DD92485442C8C262falsetrue 11241100x80000000000000007557470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:04.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:04.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFE477946B5B4C7EC591BF2EB5E0795,SHA256=FA2769BB68BB42BED56E164EC07709CFB05DECE2F00B6110068FD972109423AEfalsetrue 23542300x80000000000000002132255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:04.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E94AE670039EBB3BFC3B31840FD7F6F,SHA256=D6EC4A0B0EAB8D9E302A27CF3D6CC7B0E4EFB852E2BD4D4F10B7D3496D9684DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:04.221{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD42DD34852F6EC2134871D4132269E,SHA256=66A8EBB0F523F20E6124F5A0042488933A5255267451C48E6F011504D2E285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:05.689{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510299D8D0B547F4779FB048CE8F7595,SHA256=BFD40144474240C89BEA76B83F0A589224CF53EEC44E3F2FF687B9829E94CB34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:05.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:05.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D848293D4ED9F4798E61934443D1934E,SHA256=D8AFD34095E43E9BD4B42F13C14C191E8C4A67918B7EC8AB15B8ED5DDE3CB87Efalsetrue 354300x80000000000000002132257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:11:56.002{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62400-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:06.691{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61C4B83C4EC975ED8B6E73737E6ABD5,SHA256=78D83F8BCF5833AC8C3A1271A8E9086EEE6431C3BF1B4DA98840515E08F869F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:48.020{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56926-false10.0.1.12-8000- 11241100x80000000000000007557480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=978F1350C7CD1D538EFE983222C62B89,SHA256=1155493BC1C2D6E883B07CED2005DFD6B01551223288BDEC177BAD2EF28A4652falsetrue 11241100x80000000000000007557478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D58340B85A9BBE43D6978E3E292EE90,SHA256=5211A9C785FE3CEE61D050D8F9B187890C736920C053A27CB0D3AFCA8365C30Efalsetrue 11241100x80000000000000007557476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:06.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB70DDBD94DEB737D5AA78F3A16838B,SHA256=3136FA81406FDFC1F9A0B32B28A62F1B3F9A7C56254675096E0E84EF0A593BC5falsetrue 11241100x80000000000000007557487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6C2A80CF590954AE058DCA0AF00B4896,SHA256=9D6965471CE11A975968BDDCFCD3A41B789C5365DB4B1D216AEB7464CAC0AE25falsetrue 11241100x80000000000000007557485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.651{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13192A20035EEF6FF0746200FCA46ACF,SHA256=4D5662D195B96A4BFC06CA0DA9EC1D747EA5D6CA2EEA3FD0D045699F55F12431falsetrue 11241100x80000000000000007557483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:07.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0BE6FE118D0B6CD70DBA3ADC72B52A,SHA256=37C509C7BC43366B3CA60A4CDD2BC075C76C5AC92F0626BBD0CC985A56E62E90falsetrue 10341000x80000000000000002132273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91E7-613B-B11B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-91E7-613B-B11B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.930{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91E7-613B-B11B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.924{AEE49BD1-91E7-613B-B11B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.693{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82170F3CE8B421010366CD2F0A06D29,SHA256=60D352698B02CAD603C9EBA5ABA71C2C5F106BF411743C565127C6406AC873A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E94AE670039EBB3BFC3B31840FD7F6F,SHA256=D6EC4A0B0EAB8D9E302A27CF3D6CC7B0E4EFB852E2BD4D4F10B7D3496D9684DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.745{AEE49BD1-91E8-613B-B21B-01000000F101}18486100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92640B1EFEE3434F38EF7892F24F0795,SHA256=9E8FE7EA377EFBDA423BD64D90EC231385F67E69F73B400A26EB34CEE0FCFF8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:08.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:08.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B141EF01176C6A29460FA2AA930DF75,SHA256=4FDE97BAD5926A15A5D7E0EA30B547ADC833F91B4F0F93FE529601FE493DBD87falsetrue 10341000x80000000000000002132287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91E8-613B-B21B-01000000F101}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-91E8-613B-B21B-01000000F101}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.608{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91E8-613B-B21B-01000000F101}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.593{AEE49BD1-91E8-613B-B21B-01000000F101}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002132274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:08.061{AEE49BD1-91E7-613B-B11B-01000000F101}41085592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.861{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FC4D445A7896AC2FF5076AC72C42FB,SHA256=C545809131432DB7DEA17D1445E663472726536DE05F50539C05AFB6A5EB6F32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:09.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:09.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A107CBEB49509F999A9B2414563E5427,SHA256=14629764BDD474FF8BA85107967A41D63D2BEB0632F58155835BEC98F6905D91falsetrue 10341000x80000000000000002132304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.407{AEE49BD1-91E9-613B-B31B-01000000F101}45841080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91E9-613B-B31B-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-91E9-613B-B31B-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.292{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91E9-613B-B31B-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:09.277{AEE49BD1-91E9-613B-B31B-01000000F101}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007557491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:09.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:09.234{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3342ED2FC5FBA30E47FED60182E9574,SHA256=985BCED7326166C63E440AB1436E5D9A820ED39D398C8EC982D40F4372D554E3falsetrue 23542300x80000000000000002132308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:10.909{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0079281BC992BDDF8E3FF149B724955A,SHA256=74CA3788E15A0E7168515A4B2C1928EC0A2A3BEAAE1BFE427D20B083090E0411,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:10.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:10.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ECB38049E29E85C6C3FC9F950C5C81,SHA256=9D5FA2BB2E500B6EA1C76FABC905525C140BCD84ADA6415FDD6990044FB3AEADfalsetrue 354300x80000000000000002132307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:01.914{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62401-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:10.161{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15DE188637501E2B735E2EDA8B108145,SHA256=20B4AD1E896FC2E3B289AF767B6BDC725C8752C428D2DB015F4D52157039D4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:11.911{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2D36748BA8FE3111B275BD62A8C1E7,SHA256=E6852E3FB71BAB6AD6BB82DE61F210933DB67001D5C3B52416246BC9C8D706FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:11.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:11.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DDBBDF375B96872D35D4E9502B3773C,SHA256=6D7F4605E72D3691E4CD5950424C3F7ABF8ED0A5ACD144D00D94C3319A627CA1falsetrue 11241100x80000000000000007557497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:11.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:11.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890B35571C26519C4D1C7C377D265128,SHA256=B06FBFF991B67B9A6685DA332AC18EF584EB9706F122EF3D364FE8898C03022Ffalsetrue 23542300x80000000000000002132309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:11.664{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:12.931{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08004724316245EE04532AA2346E44C,SHA256=D5A23516F675C57E8AF08B3B7DD58C0DAF866F3291328B4BCC216C2A34894288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:54.013{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56927-false10.0.1.12-8000- 11241100x80000000000000007557507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99DADA8D113D8B839B2F1C64A7E0D196,SHA256=BC3358C35B493388142EC02C86DE749678A6FC0C113209AEF856C27F38DE3C5Efalsetrue 11241100x80000000000000007557505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AD20D68191D8299757ECDBBA9BEF53DC,SHA256=407E76887A85EEA580E0AB41A848686ACB440FC0B9353A263D460A25D08B6C8Cfalsetrue 11241100x80000000000000007557503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A8B1380BF09A7B1A6C7E398D22F1D6,SHA256=3F6DFF45C09F530C7EB9A28FF627C33416F2A3FDD3B23BD4AD6E7C5E91036CF3falsetrue 23542300x80000000000000002132311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:12.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=752ABFDD7BAE4E8591BE03EDAD270F91,SHA256=07D13EF13D3F395628F85937EDC8AE1A3DC3E4063CCF5669970F3E1A160CE8EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.164{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:12.164{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF254DF4AB5D52FB00F035385FA5423A,SHA256=87E7EB3C9AF3DE4787C4810207CACD6B106F45D11744B09AEC4DFC36F463FA20falsetrue 23542300x80000000000000002132314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:13.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2291803E91503FCD74F0756899701E3,SHA256=64AEA4063CCC3A9944C3EE1EBE7EB13B27E4332505EFEF77993B8EAF18ABBF16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:13.412{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:13.412{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF93BC95F938695E8A3952C28C93685,SHA256=4F2314C83B93B30F31765ECB36F7AC5D76FCCD2E6DC6AAC5715C6B765B998C80falsetrue 354300x80000000000000002132313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:04.436{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62402-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002132315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:14.951{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CFA9566142E817124DD905528355E8,SHA256=A8653522C4C5876AFB646DA0E02F5EA7349490E7F719670946BC41812307080F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988AAA5ECCC4B5804E5E9A0BE846F90E,SHA256=38E018C19ADA6327976530282C411E0F7DEFCF9C9EF0B1007FF9DA80AE35063Cfalsetrue 23542300x80000000000000002132316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:15.953{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539D9BA89808396C1BC80611E9D16086,SHA256=89AD44AAF0E11C95052653F7B218CB6C859735CFD5EA7E3F7B9902A9AA0163C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:15.461{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:15.460{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E588018A1195D89BB0903EC3354E050,SHA256=E19B2D25DA411B6840DB84ED3310ECC1F91F521CEF28E52C0DB3E725CE4B2162falsetrue 23542300x80000000000000002132319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:16.954{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E994D1616211D0968D4D29F83D56B9,SHA256=127FA56EF5C750C14EAB48F699A5D48B117B50CB3476BCC5CD3C6CC4BB1FA761,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:16.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:16.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDACB063C98E068BA03837B75CC0FAC6,SHA256=12AF6F9B89411116D49E845D4C8256A31F359495E5718D5BED2CB5382B4F57E0falsetrue 11241100x80000000000000007557516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:16.476{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:16.476{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C05675981CA5EBB3E8B0B90BF9F811,SHA256=7786E133CF9E595E1126A64B5D61D8858AE179EDDD2D2F1B9D8EDEAF9CC8D05Cfalsetrue 354300x80000000000000002132318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:07.854{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62403-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:16.068{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC58B360BD60FC407109A26A3B686FE6,SHA256=C98BBD65F5827504C781EE78BB7BA931793510429B8C6B4AF38B2D31F8E961DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:17.956{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB4957A92B78D623A07498AD7C54A6E,SHA256=8357A212FF981E2E534051FEB1FBAC15B9C72B9AA3DE27D45B5B3BAEA8FBADA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E71A314DE172A91C91664103A3D47580,SHA256=6D0026B0FF8DB3280CC07460651A062BF06C87E0548F774C1644A036B9781A05falsetrue 11241100x80000000000000007557522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.736{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DDF787774402347C2DC34C5BE259225C,SHA256=2687F7F5403577BF24CF0F7716AE47E7B13E9524586F64A776E25E103EDACE8Ffalsetrue 11241100x80000000000000007557520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:17.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9912DBDE5129748AD25E292ABA42ADFB,SHA256=B7635D19058D1522B07692F5DF07BDEB41EB8308B228B78DB848BE4990654611falsetrue 23542300x80000000000000002132320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:17.319{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9920MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:18.958{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D0A2238D1D3638C5B8D3D9B049036A,SHA256=87B8D43FF80057299D8E9931E892CB658F4AE00AE61603462E829DFA29AC7F70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:11:59.956{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56928-false10.0.1.12-8000- 11241100x80000000000000007557530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C97AC1F073A8D628A35BCC90C8D082,SHA256=17CDB0DA78E957CEEABF4F92C476452C65FBFD2E267B0AD4A72280D5701B5830falsetrue 23542300x80000000000000002132322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:18.319{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9921MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F7ECE69205B1DD71F3EA3A53BC32AD4,SHA256=61CB0CCDF399833225AC904AA9E31B360BFAA3B48B97F8E6EF0C0C2FD4C30369falsetrue 11241100x80000000000000007557526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:18.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4788864390F484399B244A4901FA6A,SHA256=CB957417F60B7DA5C6C864327DA856D6F08ABF95865F94126C23E1C8ECFA3EF2falsetrue 11241100x80000000000000007557533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:19.552{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:19.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD16021C8E04B5DDCF2D1A0AA2C1C061,SHA256=852DCDF4E0FA1DE34DF0621CED0A4EFDF664EA7CCDA580898B68CD7A8BFBC0C5falsetrue 10341000x80000000000000002132336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-91F3-613B-B41B-01000000F101}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-91F3-613B-B41B-01000000F101}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.089{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-91F3-613B-B41B-01000000F101}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:19.074{AEE49BD1-91F3-613B-B41B-01000000F101}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007557535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:20.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:20.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7652D6B0A6C0E4DC181B3A4AAF7C819E,SHA256=072F4F48ADFE62075EC9AA50CB704CBADFCD8330A89A6807DB1935FE534A6BF5falsetrue 23542300x80000000000000002132338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:20.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88B7EA9BF4699BDBBB20C105AE84354,SHA256=294EDF13FEFD6E26B25F31B705463A6CB92633D10F55046695E00EAC28AFC9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:20.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2D679A772EC6AE79DBBAE84F62104D,SHA256=456295B6FCB49F8C31FEAEE11417E78282FF0C3ACFDC33760B83CB19D2CED8AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:21.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:21.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CE7F578574AB0AE5E32545607AAC6C,SHA256=FABD0A287FE1EA63C98D043F791D17B0B2CABB579DB62C8865EB3ADADB54B6D6falsetrue 23542300x80000000000000002132339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:21.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF21308EF43A8FF2D677AB6AD9B6E5F,SHA256=820BAA9F62911B3938EEAB4896FCD64C1BD0678BA8CA361CBF4C12098449C0D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.697{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.697{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BDC4EF19AA0F433A48E94A9A05BC245,SHA256=94A5325D9E93EFCD93928964CBF174BA5675A3AF9AEC99C2F1FEB10F1F17248Afalsetrue 11241100x80000000000000007557543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDEF583A62CFEEDC0A707DCE4F1B0640,SHA256=5CB2EE940D627B6823BA1AD02ACF9082F8906405301A1D26F27624AED1A594B6falsetrue 11241100x80000000000000007557541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF587D771299BCF86FC160EBD6C5902,SHA256=A6A2CF6EA47DB9DD4B40A2A9CA769D82E5E55BEC34F9410EBF00367220A5CDABfalsetrue 354300x80000000000000002132342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:13.828{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62404-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:22.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A553018EB810006F9BCDE689F7D85784,SHA256=CB49DEF964A36C3EF5B800E8D6756F0D90BCDD6732D3E408D46C44E0BECA798F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:22.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E855EC4163621B0485869F9C2E3CF2B6,SHA256=526722AD181DBD91C5E2A43FA06B7791CC6EDE8422BD48D23B8D2A9DF3DEE7FCfalsetrue 23542300x80000000000000002132340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:22.044{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B7B7F457D06D09A42B9A3CAEE3B1FB,SHA256=08604A23E01A30DBCEB9DD529A66093A948B428BCD1750FBB0F4021F6AE00F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:05.032{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56929-false10.0.1.12-8000- 11241100x80000000000000007557563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FFC831CA43A86FB4AA7563D19B405B,SHA256=9C06CC7277711CD54428A1B7939420E27F8B53C225F4EB12C7C665B4B36886C7falsetrue 23542300x80000000000000002132343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:23.165{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1404C9305B89130D6C55B0E2FFEAE4AC,SHA256=9668A7A876890D48E679D25B9143EDF7AEE121D7706DBF017368BBF6F0A44F6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=E9875EDB3CFC8FCE754BFD2E3A531161,SHA256=F52F336039421CFCA7D482E6E2170979029244D9B465C8BF813A9F4437CC10AAfalsetrue 11241100x80000000000000007557559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=B7A413D2BC62A0ED89F6BDE4C4888474,SHA256=5C3AC9D1C8017D5D385AE190E97EE06E3D6064F7AB04724A13327BFEB3A7E252falsetrue 11241100x80000000000000007557557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=C59D76F75932598E6A2A53D0CDC4F462,SHA256=2329A54730EBF525948F818FD693D35FA164B45BF6062CBAE8E5484551C77432falsetrue 11241100x80000000000000007557555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=86A97076F875AE1DBD238DAB96FFAEB1,SHA256=E715452BBFA9CFDBC4C904B1A0DA6C05B833310865C1138AEB0A8D1090FA49C4falsetrue 11241100x80000000000000007557553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=3BDA261413890D153AE6F5ECC5A9C9B3,SHA256=AAA52D210D2AFEC4A9EF2B8802BE6BCA304A25195CBEF3DDCBF6BB4B486061C1falsetrue 11241100x80000000000000007557551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007557550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.427{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=83F1E0D1A167B8BFD78AD97DDF2E835E,SHA256=C6A7EF92866AFB9AEBF77E06DF1AF005C68A5B6474F14BE86E8AFE225D7ABF6Afalsetrue 11241100x80000000000000007557549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E9D272FF6BE4B53E11F4D5428BD44B,SHA256=85AEB980FA48BEB5006CDD3CAE93D27E7A2562D120D75DB029CA75E7B060CCE1falsetrue 11241100x80000000000000007557547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F7ECE69205B1DD71F3EA3A53BC32AD4,SHA256=61CB0CCDF399833225AC904AA9E31B360BFAA3B48B97F8E6EF0C0C2FD4C30369falsetrue 11241100x80000000000000007557568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:24.725{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:24.725{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3CCD513206FAB3678814FBE1ABECFC,SHA256=0941F2335B49BCEC9247C396383AD31DA01541F86CA7BA3427E5AAE889E8E62Afalsetrue 23542300x80000000000000002132344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:24.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD99986BEC2EEEABF707078CD8B647C,SHA256=275A8759D818799B96D625DC47F7293FADD9E82D9919711BDBA2E759F1572573,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:24.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:24.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E9D272FF6BE4B53E11F4D5428BD44B,SHA256=85AEB980FA48BEB5006CDD3CAE93D27E7A2562D120D75DB029CA75E7B060CCE1falsetrue 11241100x80000000000000007557570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:25.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:25.777{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8510CE323E5649F7B95DA78BF3D9663C,SHA256=C92BDD088DF4F3010745B38761401513F747C0D6F3D771B192D5A043A0ECDB36falsetrue 23542300x80000000000000002132345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:25.167{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C892D83889ABF291A03BBB6D8E4BEFE7,SHA256=FEED6A939789445647B9DEAD9AA8EDA78894156A3AA867A386601DEAD09B3246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:26.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577CBF1C54FDF96D4A56047737896928,SHA256=6561DF53673AFBCF518A55C0D5FBE8A5CEEC0B27ABFDFC42463D5F58D6293B82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:18.833{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62405-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:27.185{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5299F18633CA1901E19B15977D6603C0,SHA256=2B2637B71A709F749B4668578C6C6E8A3BBD5BF1F4717E41FF08B7DC8D763EB7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAECA3E4607A6052802905B16B39D14D,SHA256=24CBFB604A6CEB525FBBAAB810100CDF4EFEDF765D103C401A787B8ED19B4869falsetrue 11241100x80000000000000007557576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=400CCF1D32C046D096CDD4DB459C70AB,SHA256=430772E5D445B4DCE663655125D049785B9C969FE9B16FA5E3F678E69BF6A38Bfalsetrue 11241100x80000000000000007557574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=80A690AE1DFE0CD1C2F383B822AB8A35,SHA256=EBC02D27112BC1EBC17AD7A0CB088B3543CF9C00C2152D786606C498EEF7B650falsetrue 11241100x80000000000000007557572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:27.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76560EE58F21F293E5A2578DB629D43C,SHA256=FD53C377CD258DB58314313098802BE1486716DD81F49810147F0E7F157FD067falsetrue 23542300x80000000000000002132348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:27.069{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E86AA07A60B0AAF8D2A18F41894FEC,SHA256=6A37ADFB84A31CA3D9D9CD545853F8EF18D6D7C2FFE065D0A7B2C9F44885F2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:27.069{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF51E41ABE195E1BC8E61A393BC6C466,SHA256=3BD4EC15C00F9F38523BCAD3C57803D79388C105EA0D41B9A8E82E89FD6143F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:28.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6085AFD6FC6B04252C9B3D66D8C5F,SHA256=54B38B93F400D618406554993170686CED668B7330A64B576900C43E7085B22F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:28.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:28.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D69EFE0354BC5EA88A6A489CAEDDFA6,SHA256=18C9BDD2F58CF33BEE9CB94FD2E7390B951621A44158062DA9E81C14259F4A4Cfalsetrue 11241100x80000000000000007557580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:28.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:28.158{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3625C6CD147254C924071A3EF8BD1E0,SHA256=ADA238F75BCBB84A25E410EB3C00D67CBF1EC0A2FF232983E2CC8791E1148C5Ffalsetrue 23542300x80000000000000002132352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:29.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CFA122866BC0BDC80B4CDDBE2C6BA6,SHA256=0BFA5890BF908AE3D321290436EE9F914AE971FFBADA310F1340688D6ED83DA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:29.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:29.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63158EFF9002446D7B02458D05C23366,SHA256=4757B44B8CD7C7C5523E89D9A98421560CC976D10D365436A40B9EA806ED9FD5falsetrue 11241100x80000000000000007557585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:29.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:29.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4EBF5055FD3B4F7DE19139CB4DCFB6,SHA256=0053DD034561B4D404346D3C0BB6DECF312556D3D9A8D6C86C9C323BDC5E134Dfalsetrue 354300x80000000000000007557583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:10.055{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56930-false10.0.1.12-8000- 11241100x80000000000000007557589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:30.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:30.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925AC04685BC603A0346D878C7C5DA27,SHA256=9AF989DC9ED2EDF494D281C8E92E711F2F6C8076459599829557225B3C5AAB73falsetrue 23542300x80000000000000002132353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:30.204{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9164C87EE2D5F7F2D9CD1B2AD5951233,SHA256=ECC1D41C7DC0C6E527A5C23F4593C44A6BFCE6E0D130A4C37591B3B16BCA4EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:31.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5607D5ABBE16D51184E6640E84203ED8,SHA256=857C0F75262FDA13F660FD570D25D1D2F8B7DBD26A420B586FB6164DAE27C1F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:31.752{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:31.752{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3DC55C7B7FCBC78154A7AD75A1466F4,SHA256=8602257E84EFD02930B80AF0E80CB2E91200F7E3D661C1D2F21EA5950571C7F4falsetrue 11241100x80000000000000007557591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:31.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:31.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E55F6A931F44740E59CF36E235A36AE,SHA256=0AF679BF69DFCCAD47E22780B2CEA2FA51B66A5A3A113FF01EE114DB83AF70B4falsetrue 23542300x80000000000000002132354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:31.154{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F9D14FFF3F8AC4F7A73524A3A96C39C5,SHA256=203AC6B470C55972E730A65F4ACB35B15BB4EFAFC3CD9ECDBB6EE397D4D97711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:32.309{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D67DE81A442D9A97C970D3A3D9D9D6,SHA256=97C7BE1F7A9857089D3F692C8EF66EA73D3855157BC7890601E215CDA9CCEA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:32.309{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8E86AA07A60B0AAF8D2A18F41894FEC,SHA256=6A37ADFB84A31CA3D9D9CD545853F8EF18D6D7C2FFE065D0A7B2C9F44885F2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:32.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F12FAD73EBE90CB14FC86093CC96457,SHA256=8BA49F44FD19EBE092ED1625B82639326BB6E3E67CCE4F0CFEC0EAF97BFC0A20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=220B8B9964E1D212A62B08043DE5B764,SHA256=D3732A243877F1C7340665DE936ED2E18AA7C2CA62DA4B5E9A1DE3FFDAF666BBfalsetrue 11241100x80000000000000007557611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.666{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.666{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F3E37DE3B25A1E8D04E22CAEBD90A2ED,SHA256=F7E38092DDE10B289191ABF90DC45D92ECFE2EA7F9F01458FD2BCBA3FF92DD8Ffalsetrue 11241100x80000000000000007557609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.582{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:12:32.582 23542300x80000000000000007557608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.582{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007557607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.582{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:12:32.582 11241100x80000000000000007557606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.513{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-10 17:12:32.513 11241100x80000000000000007557605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.513{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-10 17:12:32.513 11241100x80000000000000007557604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.513{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-10 17:12:32.513 11241100x80000000000000007557603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.513{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-10 17:12:32.513 11241100x80000000000000007557602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.331{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txt2021-09-03 20:49:00.201 11241100x80000000000000007557601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.331{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\AlternateServices.txt2021-09-03 20:49:00.269 23542300x80000000000000007557600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.331{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\SiteSecurityServiceState.txtMD5=A015FB04DCC34F05C811B3A4A5C4A5D0,SHA256=F7FDC672C9391C9595AF3AAE3787D5466BC3CA82CDDA87D6163E2B7AE993CC59falsetrue 23542300x80000000000000007557599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.330{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\AlternateServices.txtMD5=B83764430465699F261431A344E63993,SHA256=D715901D77540744F62D7B496E8702098094917DF9CEBB91F2615B1B420D3548falsetrue 11241100x80000000000000007557598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD52D0495AA6D2D3F2033B87EABBA0DF,SHA256=2236E11F7146441F99E1682147D3746756751D8486722EC7078CA56121B6E3D3falsetrue 12241200x80000000000000007557596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:12:32.051{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007557595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:12:32.051{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007557594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:12:32.051{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x80000000000000002132360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:33.211{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF96C71EB46CA6CDF982C0810ECBE4,SHA256=D4C87AA2CE201D7D39A71EBE08607F2935D64B2407013BFF6C221B53B0C92858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007557620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.698{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9929MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007557619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.697{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99292021-09-10 17:12:33.697 11241100x80000000000000007557618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.696{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99302021-09-10 17:12:33.696 11241100x80000000000000007557617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539CE023794EB94152BCC3A7231C7E83,SHA256=D373690A1CFC0DE5073622C22D9D39CED82E992C029DEF4BDD67269B93A043D2falsetrue 354300x80000000000000002132359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:23.924{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62406-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007557615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:33.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D0BF585656CD0EDF0D7347CC74BE4F2,SHA256=EAD0CD8F6F19FB60BCFD5EC2D71395633D43035BC9DD18C03DF0D47E471EFF51falsetrue 23542300x80000000000000002132361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:34.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05916ACDA3377713DD77ADBC717C8699,SHA256=3092632E3D32FBAC9185FB5F0FA2FD7BD972988B90FE6F2E6475F78BF98FFD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007557629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:34.710{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9930MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007557628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:34.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:34.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE568154609AA38E4FB9AAD62CCA435B,SHA256=D859D5344ADACE98CF2FC8CBA8C3A1583E81C91ACE81450A6B1FB11373A71935falsetrue 354300x80000000000000007557626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.929{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56931-false44.240.138.42ec2-44-240-138-42.us-west-2.compute.amazonaws.com443https 354300x80000000000000007557625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.928{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51751- 354300x80000000000000007557624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.925{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58328- 22542200x80000000000000007557623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.905{4DF467A6-4079-613A-86FA-00000000F001}5896shavar.prod.mozaws.net052.26.168.11;52.37.141.62;34.214.179.131;54.186.176.112;52.42.128.29;44.240.138.42;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007557622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.904{4DF467A6-4079-613A-86FA-00000000F001}5896shavar.services.mozilla.com0type: 5 shavar.prod.mozaws.net;44.240.138.42;52.26.168.11;52.37.141.62;34.214.179.131;54.186.176.112;52.42.128.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007557621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:14.904{4DF467A6-4079-613A-86FA-00000000F001}5896shavar.services.mozilla.com0type: 5 shavar.prod.mozaws.net;::ffff:44.240.138.42;::ffff:52.26.168.11;::ffff:52.37.141.62;::ffff:34.214.179.131;::ffff:54.186.176.112;::ffff:52.42.128.29;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000007557632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:35.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:35.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D179834CB0C95E7346436992348FB7,SHA256=A2C490B93649B9D1283FB701AF1AE6A2F957844D1B86E39571C6573B326F477Cfalsetrue 23542300x80000000000000002132362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:35.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4481E0555AAF6292E441C020B5C52709,SHA256=745B8AB2E0D37E0CF082F4D1F8DBA699013097769E686691BAD0D2595D7875C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:15.094{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56932-false10.0.1.12-8000- 11241100x80000000000000007557636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:36.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:36.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4433B71ADE77D9AEF0CBBEF35734AB4,SHA256=B3D82F8348FB10CC5618883EE7B9348B255DA94AFDCCED9626CCC937328652BCfalsetrue 11241100x80000000000000007557634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:36.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE03BDB7F4A0EFFA6FFB6DA88A2AD95D,SHA256=F30474BA122825C8F1B6716AE76347C21B4F614E6009AE40A87728E6210359F4falsetrue 23542300x80000000000000002132363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:36.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22121CDF38B6920E1A74FBDFF708D20,SHA256=67F61E89DBA1A41A7C5814C877CFF02B56BF6F6CA918A1AF29F51BCFBADB63D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F577343E041DADBBD0D233144607E2B,SHA256=67C58C35DBFEF52CC2A1014DE5EB36ED932020C6C88A510750C8718D351FCBC6falsetrue 11241100x80000000000000007557641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.758{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0552D04519BC46EF01E61773D16CE91,SHA256=D2F090DE7970086EDC3281A1E361E48BF754C7BF4FFDD8DC3E5B518E0AB1B693falsetrue 18141800x80000000000000007557639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:37.674{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000007557638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:37.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D155561AD6A84BAAC0C3BCC91B870B,SHA256=CEA4A4C300D8ABE0B32C489AF8683D692BD265BE50CD69EB85373F20F01F0D42falsetrue 23542300x80000000000000002132365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:37.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D67DE81A442D9A97C970D3A3D9D9D6,SHA256=97C7BE1F7A9857089D3F692C8EF66EA73D3855157BC7890601E215CDA9CCEA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:37.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92196EB50575D3D38C68922C742B0BA,SHA256=89E9D2CD46504A1D747D4C7C40627A3741CD05C9BF46231C80E0B8E5AC51E708,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:28.953{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62407-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:38.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6EB2316892AA3E694DB641F5517F7A,SHA256=D280D51439871E8DF68876FD3F716BED1D67F14A361F7F5B9BEB28DB67484FEB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:38.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:38.442{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AE4BF6DC8CC6EC2458D6A48F11D3F9,SHA256=3362292EA9601F4DF47CA226C243A2ED1229F957AE74A92B56D6EC20953C0F9Bfalsetrue 23542300x80000000000000002132368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:39.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517E5E97509B4D98D031853555C560CC,SHA256=2A7E0E490128BD13281197ACF2594C4ECB96B2EEA0288E8A212F97D99213C7C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.455{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52F61E1A26ED17831F4D2E9083FC966,SHA256=2F5718EE9C08E940A57D5E8997A0A39D7012318D2254605100FB3A49578BE8A7falsetrue 11241100x80000000000000007557649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6937140147788F0E7E753528DA767DBA,SHA256=D49BD671AC9094D2DC7F4CD68F2C2F1E807259CD41E76624B4AF9AAEF970CD9Efalsetrue 11241100x80000000000000007557647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:39.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D3B4F32F2257D8099AC9626E9D5BDC,SHA256=91C483C193D2B5C4BE11010ED7BEA70FDF25BA7857F3419F477308CCFB5C3C40falsetrue 11241100x80000000000000007557654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:40.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:40.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2FDF2C02CC31962E735C64985E6FCD,SHA256=5F4264A687B686BFB49DD0F007E26C1B7DF3E803A967311A3E2E3F53BAAAA8CFfalsetrue 23542300x80000000000000002132369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:40.227{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D601B278E37AB1FA75ED957963A6F0F2,SHA256=4EE866E7BAED682AE0374F9EB7A9A042DF2C2AEB57F76EE258D2D132E4285889,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007557652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:20.985{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56933-false10.0.1.12-8000- 11241100x80000000000000007557658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:41.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:41.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAF671FB56987CB259C2D940D2BBF792,SHA256=44E99295C8DF52E5117D6C3C4A17FB4474D750CAEBD27C8E8ADE79EC6623B429falsetrue 11241100x80000000000000007557656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:41.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:41.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43BC59D9AC214A181B31F8E397C6336,SHA256=F7EB209574CFA94AB92A08C32E5C388CCAAD485FFCEC1FDD14ADCB4F2F97A33Afalsetrue 23542300x80000000000000002132370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:41.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C428D7EA6BB04C068899B60FB3891E5,SHA256=301D0D87E3727E4AADCB2ADC0667B6B0C2482BB0C8FEDFD62149B56DA571EE26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007557666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.966{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.966{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=69293666108711C498A36599C6B8ABCE,SHA256=3B72C271B0FBDDCD355DDEF293EFA3D6A776EFAFDBD53523A4A430A4066A2374falsetrue 11241100x80000000000000007557664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9068543C3285A59574A8BB68530EE22C,SHA256=A52B99EA22D86F6145FAF137A14D92322CD45B2FD8A6E0F8B0D7B0A5DF6AC9DCfalsetrue 12241200x80000000000000007557662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:12:42.898{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007557661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:12:42.898{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007557660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:42.551{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570C588378104BFF236F86DB0AB469DD,SHA256=B6FD1148FE334AC19ECBEEE87F5DB288B68B1303E0A56E583EA7BB2E3ACD6C97falsetrue 23542300x80000000000000002132371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:42.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9FC93A1C73224CB36D9BAFC19FEA31,SHA256=ECDCB7E8F5470D38EDCCFC0414EA7F0EFD3C36EDC85E74CC8BC79960A87E65FB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007557712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007557685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007557684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007557679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.981{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.966{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:43.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007557670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.918{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6937140147788F0E7E753528DA767DBA,SHA256=D49BD671AC9094D2DC7F4CD68F2C2F1E807259CD41E76624B4AF9AAEF970CD9Efalsetrue 11241100x80000000000000007557668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A29DC820A3E8B5D268BA4A4F70DA313,SHA256=97056DFEA4B20715EA8F90C3CD9D1CB653A21668661B29CD6F38682C4CDA4EE1falsetrue 354300x80000000000000002132375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:34.864{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62408-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:43.264{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABA88AD321736A80E69A12EC6A693C5,SHA256=D80FCE404BB472387B551E55EE8A888BD3EC26D86F1C333252631567E6AB7099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:43.183{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA7D0F8ECF4C0F1794F98E797341D6AC,SHA256=2EDED3ACE47950B3174DE8051CC7DCFE983A181C8DE48758DBE85C486291182C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:43.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=735E5A49310774CCA3D6BCDB3DD1FF94,SHA256=E71C42976D00B6A72CDB76CF761BFD041E4B60F5E80D2CE5A72C01B52F52BF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:44.266{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD547F9DCBA962A7A9A83CA44FCF26C,SHA256=D9B04BAD3CF00377083D76F1C0BB36E6AD185F8F440E72BF1852C281AF10E859,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007557787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.817{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.817{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007557785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.817{4DF467A6-920C-613B-9622-01000000F001}26681776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.817{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.817{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007557782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.695{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007557745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007557740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.680{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.665{4DF467A6-920C-613B-9622-01000000F001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:44.664{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007557731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.533{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x80000000000000007557730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.533{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=10891CB5BC4DD76098B7DEEEAE3CDD01,SHA256=5F8A72F9EC61B6FDF150EA85711955F9369D9AAC283A1822F07CCE1EA53F43B4falsetrue 354300x80000000000000007557729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:25.762{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56934-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007557728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:25.762{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56934-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 534500x80000000000000007557727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.134{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007557726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.118{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007557725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.118{4DF467A6-920B-613B-9522-01000000F001}48321448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.118{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:44.118{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007557722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007557718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007557716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.997{4DF467A6-920B-613B-9522-01000000F001}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 11241100x80000000000000007557852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A53F025A61651534D54D874679D9696,SHA256=16B590982F29DD280DFA42699D9103203B0F97CB72C63FF5D12D9B9569D27680falsetrue 23542300x80000000000000002132377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:45.267{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B4C7FA0E7482489AB0B4EB522BB612,SHA256=848FDBD124859BF56319C744A822DA31243C22EE7D26838DBCF4669EEEC7EE07,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007557850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.516{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007557849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.516{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007557848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.516{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.516{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007557846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.447{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.447{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEE12A90277A0B0ADBD8BAA47FAF64F,SHA256=DBC51919EAEF3560C1441141E2633D67223481078D1FB6BB45C56AAEC2FE6445falsetrue 734700x80000000000000007557844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007557840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007557838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.394{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007557807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007557806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007557801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.379{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.364{4DF467A6-920D-613B-9722-01000000F001}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:45.363{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007557792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:26.961{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56935-false10.0.1.12-8000- 11241100x80000000000000007557791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB80857DD42C322290CBB77AB421F21,SHA256=F6ACC76DABB50E35348B584CAE5753A1E2542A4D143A1FD04DF3EFCF4D6DFA6Dfalsetrue 11241100x80000000000000007557789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:45.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AF00AE8477F534F5B7263D2A5AD1C30,SHA256=40FA5038771C942E480E201D388B31DAA1409D47BD4949E7D88D58011A38F85Bfalsetrue 11241100x80000000000000007557974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.929{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4CB91DEB75F4F07FA32FA9DD6C5BC8,SHA256=6E23864ECFAB18C1CD19670C7479FE9A6A77E0663D4027F2BE88E463C408EA97falsetrue 11241100x80000000000000007557972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007557971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.909{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2A8103222F51E31076484BF1EDC4DC4,SHA256=EDEDC94118786960A1FBF5A2151D54911C98A060883BA37E0490769C5E146159falsetrue 534500x80000000000000007557970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.908{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007557969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.892{4DF467A6-920E-613B-9922-01000000F001}38285992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.892{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.892{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007557966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007557965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.892{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B7538BEAB2F1F8F0E95B605BC8D2F3,SHA256=FC396D3CB1E100A3BC32905EE493C588FB77883E2199CD73261D5F3F9D512A36falsetrue 11241100x80000000000000007557964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.829{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007557963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.829{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 23542300x80000000000000002132378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:46.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711523CE20289C49FB18D34B51CA3483,SHA256=56632284B26A93B3B279973BF04BC0DFB40F141FD894104D05CAA0E34128038C,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007557962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007557958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007557956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.776{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007557951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007557936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007557924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007557919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.761{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.746{4DF467A6-920E-613B-9922-01000000F001}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.745{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007557910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007557909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.393{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE195CB072E5A5268046C1EB86FE347F,SHA256=A4DBA76240CB70958FBF7DCC1C0E413D21785A7BC7F268DD49F5FC8E4D9544B4falsetrue 534500x80000000000000007557908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.193{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.193{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007557906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.193{4DF467A6-920E-613B-9822-01000000F001}62766680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.193{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007557904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.193{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007557903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.078{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007557902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.078{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007557901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.078{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007557900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.078{4DF467A6-920E-613B-9822-01000000F001}6276\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.078{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007557898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007557897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007557896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007557895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007557894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007557893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007557892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007557891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007557890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007557889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007557888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007557887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007557886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007557885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007557884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007557883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007557882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007557880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007557879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007557878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007557876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007557875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007557874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007557872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007557871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007557867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007557866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007557861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.062{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:46.047{4DF467A6-920E-613B-9822-01000000F001}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:46.046{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002132379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:47.270{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03CD43EFB3CE01317FB2207566C80E5,SHA256=1DEDB1F3E8A9CBDA472458183D7D483741DF2B79D12699E881F05E8BA807C7BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.759{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.759{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6829128DFA379FE8E6A9966AFAB2B0E,SHA256=A18B3F3C2B41BD8E389ADDC9918B2F5CA253EDE903F17C9BBD8BD26D83625A74falsetrue 534500x80000000000000007558034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.575{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.575{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.575{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.575{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.460{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007558019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007557999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007557998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007557997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007557996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007557995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007557994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007557993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007557992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007557991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007557990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007557989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007557988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007557987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007557986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007557985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007557984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007557983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007557982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.444{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007557981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:47.429{4DF467A6-920F-613B-9A22-01000000F001}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007557980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007557976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007557975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:47.428{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000002132383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:39.995{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62409-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:48.272{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9F9130ED91587F3382F89C293A1C7F,SHA256=C19AB305A154BEA3DAB4DD241153A197D5535676081D3EED4707DC736CF8AF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:29.695{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56936-false10.0.1.12-8089- 534500x80000000000000007558098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.211{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.211{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.211{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.211{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007558077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007558060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007558056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.074{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.058{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007558051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.058{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.058{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.057{4DF467A6-9210-613B-9B22-01000000F001}8140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007558048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D324DF7098D555E61D6BFC7C8463F5BB,SHA256=D722E339BA5C1F75F9340D45A248B433589D4BE5F60964C2A926449BEE6C8FCBfalsetrue 18141800x80000000000000007558046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:12:48.043{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84A1CC2F5BA49C69224EB492BEB5E267,SHA256=6F6A6A24FCDED00B9B18B86F0F6C9D255915E953E50F258A9EF2E31BED6B0F97falsetrue 11241100x80000000000000007558038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:48.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9EF3ECFD4D0E30176B9BF82AF80CEA,SHA256=16970FEE22E373A480690D53A3BDBDBE2C66654ABD639E622BB2611BB5970868falsetrue 23542300x80000000000000002132381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:48.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2989656E6390F2AA8DC909DD3BB5299D,SHA256=662528C701C4F05BE1366A2B4FB836BA428A700BE3DA7332D43009504F955193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:48.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA7D0F8ECF4C0F1794F98E797341D6AC,SHA256=2EDED3ACE47950B3174DE8051CC7DCFE983A181C8DE48758DBE85C486291182C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:49.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62661BCD1FA763D4254BC7AAA61AB194,SHA256=55EB4DEC99085AF236C30F8FD074A3132CA7C295391D1A4F3D0432F30778C7D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:49.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:49.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EDA2AAF30D183BB7D43112AF8701FA,SHA256=51DB17CE0C3E7DA7A31AB9C30E554A031DC73AACDAB87621BA56308F17CD6028falsetrue 11241100x80000000000000007558101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:49.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:49.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FE22FADA597F1B597D7C47F7EBF817,SHA256=B1F924D30050ECE6A3DF110C15F4C62E952C51D0A54E0606D1D8797110B69E33falsetrue 11241100x80000000000000007558105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:50.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:50.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68440BE4BAB75721B40EC4925A798764,SHA256=6A4FFC735F32103DA907F058596C92F2795FF0B61A3AEBCD901F4110A51A504Cfalsetrue 23542300x80000000000000002132385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:50.292{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885D3A8EEC8BDF16786DD8BC31327CAC,SHA256=1B87C3C4234533F8E9A55150843BF5A9C1EAE49746CA4C072572F8CA59F9AC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:51.299{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E126D0400339CDAA1F629CBF95AD315D,SHA256=2CBF09FCD3BD21FD57E43F276AE8C95F2ACF68CB8AA8B90B511A557056CFA7E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:32.951{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56937-false10.0.1.12-8000- 11241100x80000000000000007558109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:51.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:51.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51214BB1B8CD2B4F96CF33B57C705A7,SHA256=94FE82A850F6AA9E28132F4A707E8A7D2423CD3B3A074FFC3AA4F65FA414B56Cfalsetrue 11241100x80000000000000007558107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:51.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:51.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCF7063F25EA9D6B6A0F954EE6E39CE4,SHA256=C08E786A2D378F945A80BA558AEB6B8E5D7C1E2797703802B1E08905F77074DBfalsetrue 23542300x80000000000000002132387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:52.331{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6E6A33AF779B7C0EB23215302E5540,SHA256=3CA7574ABC0BDAF85627E8EA8FE316836530DAABC7337E85A248BF7F48AC4150,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:52.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:52.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46DA80BB138860A277168B469D5B0EB,SHA256=30EF4FC4AC2DFC3C91B4CAD7BE785B2D42C6893D3A1E0C2E80F56965A1009C71falsetrue 11241100x80000000000000007558112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:52.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:52.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D89875273995CFBB64BDD5FB9BC7B10,SHA256=1B59C1D140E7AE917D767B5072F275E517CEDA4CD5F92B4C22531D4DF2B74FF1falsetrue 23542300x80000000000000002132388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:53.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F577564F925DAC245470BE6B3A6AA93,SHA256=090BDE180A80310BD27ED7B3E6A1165057CD18A573C317AAEB12A9C084923E36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.299{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D4E4D206E1E12867AA084C9632E589,SHA256=96676C201128B5C9E18FB1E588B46C301DE653546BA7E9B5C23BAC19548339F7falsetrue 11241100x80000000000000007558118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B51BD8DCC519E12FA1EF7C4FF30C092E,SHA256=0D8F40B81EA5CA18F97CDFD2BE2A683B4B7CC7D2245347819EAFB89A3C2A04C9falsetrue 11241100x80000000000000007558116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:53.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93EFD708FE4270E80A8CB0899D92224E,SHA256=4381040D7E88844EA12204AB6707A441C253D19E8F4DFC3E7B1B900D806CFFD9falsetrue 10341000x80000000000000002132405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9216-613B-B51B-01000000F101}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9216-613B-B51B-01000000F101}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.581{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9216-613B-B51B-01000000F101}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.566{AEE49BD1-9216-613B-B51B-01000000F101}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.365{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C2C83F8B65D4589BD89A4905942109,SHA256=0E6C07B74E2370DD2B3CAE4A5D59F600F5FC3A7DE307BBA643E0011F0A1CD872,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:54.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:54.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89380D7A2EFA3F40E2EE54E735799AF1,SHA256=7B3F8542AFE2D5FC200EC692951EB9B33D6D0FD3F5F88CC5ACDFA9572A6A5E96falsetrue 354300x80000000000000002132391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:45.834{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62410-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.250{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305CA1C146BB0D17C04D8C04CE5DDD0B,SHA256=E6F2CEF2E680522419AFE300F5B989F0AC128A5EB14ED296FD15D5E710D64DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:54.250{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2989656E6390F2AA8DC909DD3BB5299D,SHA256=662528C701C4F05BE1366A2B4FB836BA428A700BE3DA7332D43009504F955193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9217-613B-B71B-01000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9217-613B-B71B-01000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.765{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9217-613B-B71B-01000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.751{AEE49BD1-9217-613B-B71B-01000000F101}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFA37AE83DD4CB653F8A1199E7A44CC,SHA256=23BC842096E2055E5146B08650571D91ADFBE8C7F134C86A889C93147374F18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305CA1C146BB0D17C04D8C04CE5DDD0B,SHA256=E6F2CEF2E680522419AFE300F5B989F0AC128A5EB14ED296FD15D5E710D64DE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:55.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:55.330{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D6DD2C07C2F64751AF08442EBA514,SHA256=EC375AAEBDCD6952B2688C7B7F9166B7156E8FF321961FB68B4B963A2A43963Ffalsetrue 10341000x80000000000000002132419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.281{AEE49BD1-9217-613B-B61B-01000000F101}17526108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9217-613B-B61B-01000000F101}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-9217-613B-B61B-01000000F101}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.150{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9217-613B-B61B-01000000F101}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.135{AEE49BD1-9217-613B-B61B-01000000F101}1752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:56.803{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68026D634A5F96F1684A993E62E881FA,SHA256=E0FD6B303B0900F47807D21F4D76B96EC7AEFF4B0D385B62F720F446CAB3FED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:38.026{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56938-false10.0.1.12-8000- 11241100x80000000000000007558130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1988DEBADABB5480E9514423E1120C87,SHA256=93990A92FC68128428DB5499CEC538ADDA90985F2337D4F7DC3D37C43F23A1BBfalsetrue 23542300x80000000000000002132435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:56.782{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31350D0FBDCB6971D5F610D68C72D2E,SHA256=E5491EA7BDBE9E17B0D92811E6F97A48A09F9C59AE2AB79F7EB1FD653B1D3E15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5A9B250B4654A2079EDCE1CC396670D,SHA256=83275A28F79A0DEF29D4009D62798ED6C3171DB61006305FAC05A1967335A5E8falsetrue 11241100x80000000000000007558126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:56.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03F24E6C087390CB87B094D192D64222,SHA256=55E8F005E9186F2B9B6A8B93069F4FC9152C441C89A9136065AD1378558F2A24falsetrue 23542300x80000000000000002132437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:57.821{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F1B78452A1425F4237511B579A3679,SHA256=6F311C2009D8B89F7484E122F21769DAA292E001D79BF1F719DCE8A63A032345,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C42297F72AEF7A0A24C0D1D7ECFC2321,SHA256=5C06E3476FA754C34A703F24D3A1BF9F913E417AC32673FBC6B58C49435AE8E8falsetrue 11241100x80000000000000007558137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB1DF989391125D1FC7ACD2F94D6D36F,SHA256=F68F30EDD1D19D3DB731A501690E5E51C368FCA7A08D8613C9E8261E9E52DD68falsetrue 11241100x80000000000000007558135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.358{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.358{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56A62AD9BBC09A2A805F296A8FC9133,SHA256=B74533F62E847D9AE289C0EE659B9212CF941B80D8078EB3D9EC158A6833AB4Efalsetrue 11241100x80000000000000007558133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=897BBF8C614A9A4D05905307C91BAF42,SHA256=E61A165C44325D4DA6A83866B47A8B0465731EC4393FD26D0BCD89E0853750E8falsetrue 23542300x80000000000000002132438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:58.884{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2FE86989ABADF892904EED9977C832,SHA256=4847CE2C125796718D030A37C21A033403DF808FF2A5381050CBF1B5CE43CC7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.540{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007558145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.540{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=994C06A287B0EA4CABA6443028FAE6B3,SHA256=96A7263D28CC2EF87231B40E482FD27CF21F603576D1417495082AEA02CD322Bfalsetrue 11241100x80000000000000007558144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.456{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:12:58.456 23542300x80000000000000007558143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.456{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007558142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.456{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:12:58.456 11241100x80000000000000007558141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:58.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A9FD489955BFC90866AFB5679156EB,SHA256=A3417BC8193F31A576A15CBD5BFB84C5941A938775B860DFC904578F713C0BA4falsetrue 23542300x80000000000000002132441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:59.905{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A1B9A9D3C254188B94D5E0C5121B9D,SHA256=EA60117361C023E494D3D91D467509D0B7E5B91A0C0F304B987DC09379E0A47C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:59.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:59.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AE5034965E67CB5EA0760DE227FBA0,SHA256=AA7F8E83DE40BAAFECCED48F122E0D2AC0CCD22B0B8C39708BA8FE8E65144521falsetrue 354300x80000000000000002132440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:50.889{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62411-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:59.138{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F120685A28B99C57F6729773C94E4F7B,SHA256=058FB0AC206AE61054C48ACB13713209E62940CE05217866557F35EC52F781EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:00.909{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC3802A97655D42284E4C6F999303D4,SHA256=83D4313BDD2B8954F51A999F3DE5445827F1F3E3C35A7370D156818BB4506B20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:00.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:00.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD911C629FF36B6F92B8D5D054FB8DD3,SHA256=F847545C6B4DBE55678E882430D6CC2FAE2DA7DD2EB2EB7CDE443D9212942246falsetrue 23542300x80000000000000002132443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:01.928{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DCFC9CD6F68F32C443AED199B9A4F8,SHA256=EB63A4E5AC1CF399A5AAFBB582B88BBBB3211D4560CE20D5148C19DB21F52ADF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:01.467{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:01.467{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA88475395AD15248042E04766B36A3,SHA256=FF6A9CC632EB05DC571D7274244CF86ACE7A27479FCFE63F3EFB72E8754C7F01falsetrue 23542300x80000000000000002132444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:02.929{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71C68408C119DB976F6158D89109C95,SHA256=296D1AF623DC6A685D2513769BABBBD102DD24700DF96BF467D0FB7C06C03E13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=80430D30C0AEEAFE9FA490C41897490B,SHA256=9B7434CBA0E2BB9E025AC213A8F7C68DE5DABB3B4E610E48ED557F9DCA4F4FB6falsetrue 11241100x80000000000000007558162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.949{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9220B89ADFE8CA01DE22610BAB391720,SHA256=F97811472BA0171DA215D116E0434924313422C21A30C40E54ABBB7D05C74FA4falsetrue 11241100x80000000000000007558160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.485{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.485{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8804AD6F68AF7ADF788122730537F8,SHA256=20AE2F63D0F2E4CBB8D80076F2BBE682CFD0BF992E99E5491C8A5DAEA1D8C679falsetrue 11241100x80000000000000007558158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A43E10EB2178D93FD452376932B3EAC,SHA256=359A46ABB070B2CCE0A62236011AF3228ACE4701722326CB83D810FDC0489ADFfalsetrue 11241100x80000000000000007558156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5A9B250B4654A2079EDCE1CC396670D,SHA256=83275A28F79A0DEF29D4009D62798ED6C3171DB61006305FAC05A1967335A5E8falsetrue 11241100x80000000000000007558154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:02.004{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1FB984067B1E965ED90E6AA70E427646,SHA256=83C704E227E7A8F9C39900F6F6A3F812A37E2AC12DCA1B2A665FE60C6588CFD3falsetrue 23542300x80000000000000002132445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:03.931{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C3F02FC53774F863A38C83772B2034,SHA256=41B286B41EC1D4877063D01631A1594F99C9CDCD56616FE98CCFAEE9975FF026,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:43.969{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56939-false10.0.1.12-8000- 11241100x80000000000000007558166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:03.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:03.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE55F947F94B729FEA3756DD1E232CF,SHA256=6DCD987E40C84F295646120FF505ED2B3E4B2297380B4248B87E419FBB543B23falsetrue 23542300x80000000000000002132449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:04.932{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4C4E0F523D9D64F7A1E1B75EF3DB39,SHA256=0C81C3A6ED79BBD06586D9029EF1D54D838CF0AF92A0ADE320CCE8621813117B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:04.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:04.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CAA90FC85268F614B75A2242168533,SHA256=BFEB2D5F86F583D9E7A12D9A8ABABD27178F498FE00F5A1AABB1121C8305D0CAfalsetrue 354300x80000000000000002132448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:12:55.993{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62412-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:04.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209A99E5F789793480D923E93EE28E7C,SHA256=83849E90101404CD22DD996BD42CA4420E2AD854E6CA85F17C9B47476EFC5C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:04.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E547DD6E4EF84869E233CA490DCBDC82,SHA256=F7E2F1FF297409335D35062231710D10FB19EAE82872857E59869466F562C751,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:04.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:04.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A43E10EB2178D93FD452376932B3EAC,SHA256=359A46ABB070B2CCE0A62236011AF3228ACE4701722326CB83D810FDC0489ADFfalsetrue 23542300x80000000000000002132450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:05.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8EC36A915DF8C712A0229F2FC6EF0E,SHA256=B2239C2CB3D5D140C4B40CFEB0DC9A4409C83BFF853D5B31AE828672BAD7B646,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:05.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:05.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C7BA33FB30CB8FD41E7F1B41498C34,SHA256=FFBAF48A8B2F460A2341F4A40215EFE83D2146D3EBC98327EDC6A79DD837E985falsetrue 11241100x80000000000000007558175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:06.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:06.578{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E7A4A157843AB61E5A4384F39DBA7E,SHA256=FDB3CFEFC1539020602E24B479C916AC2861B5BE84E1168C4FD2C4DE29CEDD3Efalsetrue 23542300x80000000000000002132451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:06.937{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B2B7B98CA1A0B1170987B7376A4659,SHA256=90B575CFDD7C241FBBE29A16E5887E8BD81E3D73304A2AFCEC128164B747733B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:07.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:07.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3D52C5AC75270DA8783D793037992E,SHA256=7FC26C8BE9D55768295B12BBC4F7217E0C8450A39E3DCF90260A2AFA179740F0falsetrue 23542300x80000000000000002132465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.937{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1810A68213CF5A1A08E4FE55394393,SHA256=0B26C622912601D5CC3C82F24D91D15A0586748E4C0D983B32676FC4E58B65D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:07.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:07.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=759D12798E36AF7013CBB930B701F051,SHA256=416B566BE4C3835B7CB9356D9C0134F6FCE8A1139DBA31B6601BCFD8480ED9E2falsetrue 10341000x80000000000000002132464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9223-613B-B81B-01000000F101}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9223-613B-B81B-01000000F101}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.922{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9223-613B-B81B-01000000F101}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.916{AEE49BD1-9223-613B-B81B-01000000F101}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717D67DF58D16E5E2CE73AFE100CD684,SHA256=2330AA1B30F8E0446DB01158A0D2B55F42621E6C94C5C043DDE974730065DE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.938{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209A99E5F789793480D923E93EE28E7C,SHA256=83849E90101404CD22DD996BD42CA4420E2AD854E6CA85F17C9B47476EFC5C9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C990D785374F77844D68AC574725B838,SHA256=38E5B1DEA3CC97303677E02EC1924FA1A3A2D4FFD59117764E5ED9D90DBF74B6falsetrue 11241100x80000000000000007558185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A6E66BD0380F611F90A5AD961DC354,SHA256=235C553B9EEF3E7931B59108DB4947F9E13C7E7EC5BFA4A62590DD57F43DA0BFfalsetrue 11241100x80000000000000007558183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7EE38CA719160174AEDFA1C8C995B07D,SHA256=15711EDA918DED1A738208C26F9CB17E31EDD6C313EF247962E6BE069791DC37falsetrue 11241100x80000000000000007558181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:08.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7346B3498D3518B2C50682E141627775,SHA256=7FEAEE5E8C9C0CAB1374347ACD50A4550DE65454A8B997B8B6D3A8C00D3A49C3falsetrue 10341000x80000000000000002132480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.722{AEE49BD1-9224-613B-B91B-01000000F101}34766128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9224-613B-B91B-01000000F101}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9224-613B-B91B-01000000F101}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.601{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9224-613B-B91B-01000000F101}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.586{AEE49BD1-9224-613B-B91B-01000000F101}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002132466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:08.053{AEE49BD1-9223-613B-B81B-01000000F101}53481376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.939{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934F9195866B7E953E9B91AF55CC975C,SHA256=72967A54A43655F6EB881E748EA2FDDD1CA6CEA76684D3DCBD78C5E278AC9CBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:09.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:09.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A4CB12DB829282F727967095C264A4,SHA256=E31B7B8FCF2A6C00B53B5B2541DCEF79049A7B1C387E1B9C52F7EC3B7F1D584Cfalsetrue 10341000x80000000000000002132496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.422{AEE49BD1-9225-613B-BA1B-01000000F101}50803224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9225-613B-BA1B-01000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9225-613B-BA1B-01000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.285{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9225-613B-BA1B-01000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:09.270{AEE49BD1-9225-613B-BA1B-01000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007558189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:09.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:09.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7290030E47BF1E3775C260B15429BBE,SHA256=F94CAF68989586D9DA073522DA9E6F64E9B6F02DDDBA3BCD11010DFA7F9C8E36falsetrue 23542300x80000000000000002132500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:10.940{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B058516661A639A8415394284825CC54,SHA256=A478DC39279D63495C5F19DA7D03D37DE89B2196FD0F587F2484D9D8EEB69266,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:01.987{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62413-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007558194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:10.654{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:10.654{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5D17ECA25EAE015AC0ABF7F32547D2,SHA256=3BA91092067BA61B2C7ACD5058D97DDE91EC55A76157C56E968F04BF27D2C8B4falsetrue 23542300x80000000000000002132498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:10.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0FCBAF151D79E620F2B60F66EF25EA,SHA256=A487FEEB4BCED76FD6C3D133DD1ACE46005798B2D021F2409EA72905904677A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:49.976{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56940-false10.0.1.12-8000- 11241100x80000000000000007558196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:11.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:11.673{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DC42E58AF5AB3D980C9AA8D4F93171,SHA256=86CB2E6DE534CB396EB3B3A93FEEDE5D1B1CE61D141C8AC5BCEC7688A5A033A2falsetrue 23542300x80000000000000002132501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:11.689{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F2FE80D65F2DAA8903DAB80DDF0120,SHA256=26A5FFB861821761F45C458B00F46241CA1B99EE7726041415C6FB24F6F1DE4Efalsetrue 23542300x80000000000000002132503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:12.906{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5AE698FFF658FE1DA06B5D6F291536F,SHA256=AC04311C95B54BE077016613E71E1A3F167936CF4878664D6F12752AE57B6F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:12.025{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE5125399A9343FD9D0F1B1FAB655F9,SHA256=72B72F0A03BA03A6138EAA3E76F52F1D4B355EDC0F35F0871D6C762263BE61F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99E1CCB45C1F5ECABB1F6A1EC0BF255D,SHA256=B3E70CDD0BBEBC0561C4C90CF10531E2E64A50E55EB4C8089D21040DFA48486Bfalsetrue 11241100x80000000000000007558208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.701{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AEE2B52977DE0B88D7161B78A1BA45,SHA256=887FA3258BCE62911BBCC755C067FFCC4EC0E38F6716004345E9114AE09106D0falsetrue 23542300x80000000000000002132505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:13.059{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E95DB20FA25AA5D44492848397EF3CE,SHA256=37A1F9F493D5AEF622C5D31FB8CB4FA0D2B4C15004CE12901A65EF56F391BD4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E5B852F4E07530FFA65476F4C8EBA72,SHA256=DC4E79F26B11A989A6931B34E02CED41772260C4E49C59400EAFD48C3A19B155falsetrue 11241100x80000000000000007558204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CAD3F9A8BC6D08FCE91CB594E1A2759,SHA256=4F03FC8FCD3622632ED300512D90F24D8AA681907B0B91B926CF3DAA69AEC07Dfalsetrue 11241100x80000000000000007558202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:13.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D31F4468A53EBF3997F36519E2E864D9,SHA256=912DCE45833B6CFEC52033EA64EFB0E3D727271C25E2C39AEBB9DA6E1419B435falsetrue 354300x80000000000000002132504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:04.460{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62414-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000007558262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.966{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162924528ABB40F1251A746DE205ADEB,SHA256=8B2FA9266A1FFCEA2F1EC5C12FCCB4114AFA2D730EA4CCB869F580B0FED3A84Bfalsetrue 23542300x80000000000000002132506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:14.079{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB37297B938C982A34C1BE78888AB58,SHA256=8AC36AD4B1E5541A3E43131B0D3E71258824B6E9FE35303D9173DE63B885D9D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset2021-09-10 17:13:14.569 11241100x80000000000000007558259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore2021-09-10 17:13:14.569 11241100x80000000000000007558258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset2021-09-10 17:13:14.569 11241100x80000000000000007558257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore2021-09-10 17:13:14.569 11241100x80000000000000007558256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset2021-09-10 17:13:14.569 11241100x80000000000000007558255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore2021-09-10 17:13:14.569 11241100x80000000000000007558254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.vlpset2021-09-10 17:13:14.569 11241100x80000000000000007558253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.sbstore2021-09-10 17:13:14.569 11241100x80000000000000007558252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.569{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset2021-09-10 17:13:14.568 11241100x80000000000000007558251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.568{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore2021-09-10 17:13:14.568 11241100x80000000000000007558250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.567{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset2021-09-10 17:13:14.567 11241100x80000000000000007558249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.566{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore2021-09-10 17:13:14.566 11241100x80000000000000007558248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.565{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpset2021-09-10 17:13:14.565 11241100x80000000000000007558247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.565{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-09-10 17:13:14.564 11241100x80000000000000007558246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpset2021-09-10 17:13:14.547 11241100x80000000000000007558245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-09-10 17:13:14.547 11241100x80000000000000007558244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpset2021-09-10 17:13:14.547 11241100x80000000000000007558243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-09-10 17:13:14.547 11241100x80000000000000007558242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset2021-09-10 17:13:14.547 11241100x80000000000000007558241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata2021-09-10 17:13:14.547 11241100x80000000000000007558240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset2021-09-10 17:13:14.547 11241100x80000000000000007558239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2021-09-10 17:13:14.547 11241100x80000000000000007558238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google42021-09-10 17:13:14.547 11241100x80000000000000007558237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.vlpset2021-09-10 17:13:14.531 11241100x80000000000000007558224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.531{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.sbstore2021-09-10 17:13:14.531 11241100x80000000000000007558223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset2021-09-10 17:13:14.516 11241100x80000000000000007558222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore2021-09-10 17:13:14.516 11241100x80000000000000007558221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset2021-09-10 17:13:14.516 11241100x80000000000000007558220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore2021-09-10 17:13:14.516 11241100x80000000000000007558219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.vlpset2021-09-10 17:13:14.516 11241100x80000000000000007558218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.sbstore2021-09-10 17:13:14.516 11241100x80000000000000007558217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpset2021-09-10 17:13:14.516 11241100x80000000000000007558216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstore2021-09-10 17:13:14.516 11241100x80000000000000007558215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.vlpset2021-09-10 17:13:14.516 11241100x80000000000000007558214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.sbstore2021-09-10 17:13:14.516 11241100x80000000000000007558213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:14.516{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating2021-09-10 17:13:14.516 12241200x80000000000000007558212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:14.464{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007558211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:14.463{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007558210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:14.463{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000007558209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:55.068{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56941-false10.0.1.12-8000- 354300x80000000000000002132513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:07.032{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62419-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002132512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:06.995{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62418-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000002132511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:06.906{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62417-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000002132510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:06.864{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62416-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x80000000000000002132509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:06.863{AEE49BD1-415D-6132-3A00-00000000F101}2480C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62415-false169.254.169.254instance-data.us-west-2.compute.internal80http 23542300x80000000000000002132508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:15.148{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD38636443CC8AB0092A927B878D19A,SHA256=DC1A6F0901E4D753D842505420F6305BEE0DAEB4F509BBF04951137249AD3796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:15.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2877663A0C95D0A9D6786F624F85416C,SHA256=C5484238B7B785F5BC97B67C29B6B0B7EF7F70F4FF60AFF767A60BB5B336A66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007558325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=510DBE6F67223DC5455E6E4154A5ABA1,SHA256=EAE14BE97AEE2D07A23A3873E18A3B36C7B418FB5F7C246D3C545A3DE694CE64falsetrue 23542300x80000000000000007558324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=74B40F273A6747E9CE65CCBF8271C07D,SHA256=FB4D70D21CBA8D7CB9007D65FA14CD3C9B1174E1C021EEF0E6AADF9ECDBF137Cfalsetrue 23542300x80000000000000007558323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=2B389398AA165211D3266E5FCE7C4A1B,SHA256=D03AED95539ACF458EB2DCFAE019EE36FE15032E585CCE3E27AE6F9C2CE81CA2falsetrue 23542300x80000000000000007558322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=770D1830F8D6205E2C4F4803B793ED47,SHA256=F60ADE0662A50F1FD8DB63072A7334A25B65F787BCB5919D48F5553815DD786Afalsetrue 23542300x80000000000000007558321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=A22E116730EDC7AF2CCA43F01ED2287B,SHA256=8ABFC97A9A054898114283D995C9CE64B117E7F0341E41A59684A307F14DA4BDfalsetrue 23542300x80000000000000007558320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=3618696D4E539F97562A79C98543C1CD,SHA256=6A36AC5E5DD100E661DA8D21E24D4EE9A7F8CBD790B582751AC58AE747372192falsetrue 23542300x80000000000000007558319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=431A9D7F2CDFEAC0470A064901787C16,SHA256=2A5C6A47A86FD3D1FC267C287D10236BA97349083E7DFA67022AA99FF126BA71falsetrue 23542300x80000000000000007558318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=D4EC42A09329AF85B3C9A1C00EA2B908,SHA256=A3F3F2349DE8CA75AD8A464731DC17802A0DDD34BB1E3D4FAE83A674DB613CAFfalsetrue 23542300x80000000000000007558317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64Afalsetrue 23542300x80000000000000007558316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1904311EF938B38EA7286C04E0773792,SHA256=DF82CCF876F410906794D4550BA321E1D0C8A8B4D046F7EC9410F4468ED90820falsetrue 23542300x80000000000000007558315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.695{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BCfalsetrue 23542300x80000000000000007558314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.680{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0falsetrue 23542300x80000000000000007558313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.680{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=CE11F2A860A94D153BA80DC804991E35,SHA256=09CC4B034E205D6FF0B55839EA0968AB015C8DFD4F6D6483B92858FCE27625E8falsetrue 23542300x80000000000000007558312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.680{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=39BA4C3D8D62BBDCCF5E4923AFF5D888,SHA256=C83CE00BDD471E6A8626321357094EA659EC0640FEC9DD444238F465BEE4EB1Dfalsetrue 23542300x80000000000000007558311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.680{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=64459E5660D833BB7A5A270D43336F02,SHA256=900F148D5ACF54D5BCDA1AFD00D13CD28862D3282B519D5B61B846D6C1DE6463falsetrue 23542300x80000000000000007558310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.627{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F6544C2BBA27B53734D46A2236A67CA8,SHA256=9F5B1CC0BE4DF119D59FC2EAC9732FEAABAD988F148DF98AC70751BE2F962927falsetrue 23542300x80000000000000007558309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.627{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=0B0EA5BC11723042887939FA2680F714,SHA256=B7821315AF0ADBD8F1741036A46AE5DAA9C1F5C642E4E2A2B63175F06CDEB712falsetrue 23542300x80000000000000007558308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D4DD8CD0E462F12C65C4E590EB236D3D,SHA256=EC986DC2A19FD1459678C0562EF58E4F233A8101DB250A9646CEC10397DE0F73falsetrue 23542300x80000000000000007558307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8falsetrue 23542300x80000000000000007558306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=DBDE3BAA15B0B56BE0910D8C92AA7CF5,SHA256=4CFBE9512EA828D348725E3555ADD870F27029159837F4890E6C01260D094009falsetrue 23542300x80000000000000007558305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=D8B60D283C394688730AC4F9C3A86023,SHA256=C893611699E83589FBDCA13F078C16AECAB036AC5C61440E406B86D48D5CDE71falsetrue 23542300x80000000000000007558304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=B7F539ADDCA70FA77A5396EA784D214B,SHA256=AD575F96569803F9805EFEF10323063AC3F3B6D67B846204E1DA9E3FE2FB5CB6falsetrue 23542300x80000000000000007558303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.611{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1Efalsetrue 23542300x80000000000000007558302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5F83B0D6BA161602017AC27A96F3705B,SHA256=DB679CA27EE3FD9899E5DEF0384A3722FD19F4A23D8F35CDE1F3482E9642886Efalsetrue 23542300x80000000000000007558301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97falsetrue 23542300x80000000000000007558300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5falsetrue 23542300x80000000000000007558299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49falsetrue 23542300x80000000000000007558298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x80000000000000007558297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25falsetrue 23542300x80000000000000007558296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571Cfalsetrue 23542300x80000000000000007558295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=D3C79EEBD1FBF04B25D7E0D89796A366,SHA256=77CBCDF1F4FBF279888EF690AB6537A37271904F49F10A6B547B50CFB0A04A0Efalsetrue 23542300x80000000000000007558294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1122B8CAA1EE6AFCC8D9C705810B59DA,SHA256=389FB0D336133EEE3F98D97A725786A1191EE0E2BE2AE16458198724EB16DAE1falsetrue 23542300x80000000000000007558293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97Ffalsetrue 23542300x80000000000000007558292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722Cfalsetrue 23542300x80000000000000007558291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460falsetrue 23542300x80000000000000007558290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.595{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6Dfalsetrue 23542300x80000000000000007558289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0A118F84489D0336500BA7AA28EEC3DB,SHA256=80CDBD62FAC86A30E13F3CAA31D8DC1BBFA458FF093CA3113DCF17FA09204493falsetrue 23542300x80000000000000007558288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=7108E87CAD9A9187F04E0DB62EE11BA2,SHA256=D3E981266944DC3516502147A13554BB1F413120FFB119EF7191073704AEBDE3falsetrue 23542300x80000000000000007558287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=12C155DD5E881352A0ACA1597315E4B4,SHA256=5EFE168A26228F9557DB8EEF6F128E6F2BC3CFCDBAAC5F1E54CA97980170DD62falsetrue 23542300x80000000000000007558286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E03E73D5F6ECD4CD32C3DC29D718D0CD,SHA256=E0EECABA3B9EF2ED989A88F166FBD18E87DCAE59C51EC0C8615EB181CDBD6875falsetrue 23542300x80000000000000007558285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=9029D6F8F6B542F8CC8BED031A868332,SHA256=B779ED2DDA6A823FC2E108105D90A5012357F0082973C164F86D95AED6E16573falsetrue 23542300x80000000000000007558284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=98E577C148A61351966CCDC96A865C91,SHA256=2A6127C1960DFB83F8F6D0B6EF099120B1BD858E432B56E7CA14F34B6986D989falsetrue 23542300x80000000000000007558283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7falsetrue 23542300x80000000000000007558282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x80000000000000007558281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=3A16652F3D7E909EEFB688780FB23DFB,SHA256=77E575221C7FB694A4D9FD39B1563AF193D1A6AF22C18DCFC77BB992B19B2BF9falsetrue 23542300x80000000000000007558280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.580{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E4AD5A04A5C7E1E2D01F8AD2F766BB15,SHA256=59DBC09166E7BA59B5CB02DF109991B71AD70418BA45595A9536A4758A630226falsetrue 11241100x80000000000000007558279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-09-10 17:13:14.564 23542300x80000000000000007558278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=39BA4C3D8D62BBDCCF5E4923AFF5D888,SHA256=C83CE00BDD471E6A8626321357094EA659EC0640FEC9DD444238F465BEE4EB1Dfalsetrue 11241100x80000000000000007558277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-09-10 17:13:15.564 23542300x80000000000000007558276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007558275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-09-10 17:13:15.564 11241100x80000000000000007558274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-09-10 17:13:14.547 23542300x80000000000000007558273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.564{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D4DD8CD0E462F12C65C4E590EB236D3D,SHA256=EC986DC2A19FD1459678C0562EF58E4F233A8101DB250A9646CEC10397DE0F73falsetrue 11241100x80000000000000007558272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.548{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-09-10 17:13:15.548 23542300x80000000000000007558271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.548{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007558270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.548{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-09-10 17:13:15.548 11241100x80000000000000007558269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.547{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-09-10 17:13:14.547 23542300x80000000000000007558268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.546{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F6544C2BBA27B53734D46A2236A67CA8,SHA256=9F5B1CC0BE4DF119D59FC2EAC9732FEAABAD988F148DF98AC70751BE2F962927falsetrue 11241100x80000000000000007558267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.506{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-09-10 17:13:15.504 23542300x80000000000000007558266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.506{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007558265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.504{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-09-10 17:13:15.504 11241100x80000000000000007558264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:15.480{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A5FF39629086066E15C8E5A5F5BF9B,SHA256=BE5DBC20636F522D9E80590FB7AC3E193B8505B679B57B13E876525F7C3A5955falsetrue 23542300x80000000000000002132514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:16.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32E505F2D78EEFF99EAB09E906BA724,SHA256=F06B26421A3FAC06E64A10CE28A6BE9456BAC0C5AA628F40EEF0E3E6325224AD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007558335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.306{4DF467A6-4079-613A-86FA-00000000F001}5896safebrowsing.googleapis.com074.125.142.95;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007558334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.306{4DF467A6-4079-613A-86FA-00000000F001}5896safebrowsing.googleapis.com0::ffff:74.125.142.95;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000007558333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.345{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56942-false74.125.142.95ie-in-f95.1e100.net443https 354300x80000000000000007558332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.330{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61622- 354300x80000000000000007558331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:57.328{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49584- 11241100x80000000000000007558330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:16.226{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:13:16.226 23542300x80000000000000007558329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:16.226{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007558328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:16.226{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:13:16.226 11241100x80000000000000007558327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:16.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:16.143{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1498D2EF2595AB1BFBC97E0A78C7B666,SHA256=48B8058A25D1EFBD27F2C8D4B88480F1AD070F53AD0178B36CBAA7ABC4009F53falsetrue 23542300x80000000000000002132515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:17.252{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69861FF715FB8EEAD8329C0306E3CBD4,SHA256=6DCF9B29EBDFBF44619FB3BDAFFA5CBB6EA734266898ACE29AB4C557513384CA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007558342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:12:59.036{4DF467A6-3F58-6132-2B00-00000000F001}294895.142.125.74.in-addr.arpa.0type: 12 ie-in-f95.1e100.net;type: 12 pv-in-f95.1e100.net;C:\Windows\sysmon64.exe 11241100x80000000000000007558341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45ED849028E9220CF6207164754947E0,SHA256=98063351B0D15F7C24013B8275905D2387A70A8C93C90BDE425A5610A195AA16falsetrue 11241100x80000000000000007558339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.243{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007558338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDECA8AE02BDF3238851664C2549161,SHA256=B7D6443C16EE164C16903F83CBC85F5D17451E1149BABF1791E734B34B442231falsetrue 23542300x80000000000000007558336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C64E58FB754076C993697F12A9D5B4F8,SHA256=A3FD8677A489F8073832A43AF63C1E08214C2C0F7593EED92B3342EF7FCE3741falsetrue 10341000x80000000000000007558386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.859{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007558348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.391{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6F871B9AF204AA03D19C68E8B271DAF,SHA256=2C91687274A0CF83CFB5D19642D0DE76B08CF1521A78275AB178CD72BFAB5E32falsetrue 11241100x80000000000000007558346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=764A198E339C16CCFFACCBBE881BCC49,SHA256=2F3B9D1130C279CE457006B1613F7E46CDE5C00E5E885EF9F908950C4CBBACD5falsetrue 11241100x80000000000000007558344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:18.375{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43100DB9D404FD6FE3C4466C7B2E56A7,SHA256=8F59466E9B2ABB10AA6B1332E6448985EF02426BE2C255EF44B8C114362D4964falsetrue 23542300x80000000000000002132517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:18.836{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9921MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:18.270{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2EFA8495321AE74FBABE1681DFB449,SHA256=4098CD1DB25C0CD1D53FB43A39ADDF11984839695ADA83BAA45C89035BB1C875,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:19.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:19.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9281E3A8213CC31836A3F3BA0F0F14,SHA256=D26CE157DE85CD75699CA72F5A02F2A324CB25953C019712688BF36930CDEAC9falsetrue 23542300x80000000000000002132532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.835{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9922MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9D825C1709D12D0DE59D0AFDD6E3F0,SHA256=561EB15A7395D439386E14B23518BCD93F2A43B267E3077E5C5393E844D4571B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:19.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:19.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3AE6F969725F4CBE974EB14C5EBEF3A,SHA256=4C6E4879404AD11697D0B613FECAEC6724983770EA6B473703E7FDCD18BC1116falsetrue 10341000x80000000000000002132530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-922F-613B-BB1B-01000000F101}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-922F-613B-BB1B-01000000F101}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.087{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-922F-613B-BB1B-01000000F101}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:19.072{AEE49BD1-922F-613B-BB1B-01000000F101}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000007558404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:20.671{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007558403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:20.671{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 12241200x80000000000000007558402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:20.587{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007558401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:20.587{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d7a667-0x27895e48) 12241200x80000000000000007558400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:20.587{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000007558399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000007558398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007558397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF246bc35c.TMPMD5=9D84A9844F50F830E05319AE1FC4700D,SHA256=1DF0A88684C3A7DDC548DDCE0A82D4D427553273153763D6B2408C185EA84867falsetrue 11241100x80000000000000007558396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF246bc35c.TMP2021-09-10 17:13:20.571 254200x80000000000000007558395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BAMWUGSGYFYF8PWMJRFW.temp2021-09-03 20:46:01.0612021-09-10 17:13:20.571 11241100x80000000000000007558394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.571{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BAMWUGSGYFYF8PWMJRFW.temp2021-09-10 17:13:20.571 11241100x80000000000000007558393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:20.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A12B17688ECA89D6A25A299D1BC7541,SHA256=672515AB018BCA30F7DE247E59BA85AD937B73ED37DA472D33FBCCF19899EC87falsetrue 23542300x80000000000000002132534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:20.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BCFCE1E196314BEBA1905B0D8311D2,SHA256=F2693B16039D7F42F959F869FFA872B1582D3488DBC0343CDE2F9FDBA316B32F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:01.086{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56943-false10.0.1.12-8000- 23542300x80000000000000002132533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:20.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40D6D4BA4AC2E072FAAAD520D723CE05,SHA256=A10D826F65904BE399A185A25059415CFF1145564660AB2FFDDCA8C292C01ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:21.289{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1058EA49A846E03F19BAD18096B50D6F,SHA256=5A750E8AAE1A6A0D64394B9D86A8D426E8D0ACC1F094BE7992D615C28EBFC488,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:21.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:21.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632270C2A650F6782D59618B40E3057,SHA256=85D9DA58A23DDF28826D44E08D6E0D2A3FFA26512314C2E25995F2CD9994E7C4falsetrue 11241100x80000000000000007558406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:21.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:21.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED734CC40B420EF98036DB6683D68042,SHA256=8D8CD5F1AA8B7800B57E40C9CC513223E6474BE973505E9B1A184B4C817F8AE7falsetrue 23542300x80000000000000002132535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:21.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F7275652B11F5273BDAD4722F538357,SHA256=5911B2C071A2974A01D572CF33023F1C221000E4E4C5683423EE52EFB29C236A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:22.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:22.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF4172D4953F312D81B414FB47B3A9D,SHA256=7C5F457E88242498ECE3A37547D8ED71D83B1B1606C0D051F2D9A3E5BCB39EC7falsetrue 23542300x80000000000000002132538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:22.291{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B1B6AAD6BDC904B04B8A8E960B3EAB,SHA256=80BC7B630DDF2219BD1E5859634B199220F8930B69EA3267EBD498CAEBF11078,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:13.024{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62420-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007558410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:22.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:22.400{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E59CF5A1990DEB83DECE00DBBCA5452F,SHA256=2041F72F4D64A10BC2ED50390207A10262F1D90A9A87B6849D79C219A00DD4BAfalsetrue 11241100x80000000000000007558418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FCE54E57E9336D302C11355FF9FE7D,SHA256=7F5676D986B25878ED8A57F6B896B17B0E41CB76B67EC0756D23B4794A820EF2falsetrue 23542300x80000000000000002132539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:23.292{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37334C8A34CCEAC874652B5D6477A60,SHA256=6F1778BB14EDE5E1B7C085C6468517C1B055370790024900913811E94D0642A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAA89FA685663A1A7A57ED2813F6A003,SHA256=192D5937746D39529648ABAC91D1E12FC4CBAD8ABBD3DDBFC916ECFEEE2BBE38falsetrue 11241100x80000000000000007558414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26420BBEBE5FD34B93516521ABB1B00F,SHA256=4CDA35588FE0EEA63CBC1CFA23C35AF606A3E1884F3DA336B622D5C520FB2A7Efalsetrue 11241100x80000000000000007558422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:24.649{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:24.649{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C101013596A3E14EACD5B138BF87642,SHA256=34100D7E96B4F1F4675F985F224BDD539BF321AC415CA95E6C29F28CEFC17DFCfalsetrue 23542300x80000000000000002132540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:24.294{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7940E5A1577AB28214C36614FE84048,SHA256=515DCEEDB4643C297BB8FC604526FDF7F50B88F0E8CEA813D049D4ECA1DCA69D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:24.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:24.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE45E22254B31517B2355B9D63DF8165,SHA256=2994FE53E355C4AA258E484BCC9695611D75E259E62952CCD112E34ED6FFB795falsetrue 11241100x80000000000000007558425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:25.678{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:25.678{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD94B06ECA1CB0230611479C7877014,SHA256=640CB2CC361C224A09FD450F7A7F49AA6BBEFC23F3D5A49C9D345F7AB0FC61AEfalsetrue 23542300x80000000000000002132541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:25.295{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA22BF482A69EE4E6E75973E9B52951,SHA256=F5D754C8CAA608DCD9D4401E4242C07F9260437F044C4561A8316F51E38D72DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:06.991{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56944-false10.0.1.12-8000- 11241100x80000000000000007558429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:26.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:26.845{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=169F9D31ED3B651AC1FB1547F71E4DAD,SHA256=E5DF6E16F6D992E5B88E95CF3A382CDF71F6BA809A0F52B8CC40C100DB9A0456falsetrue 11241100x80000000000000007558427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:26.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:26.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64885256B2F571B2F80D5BB51C7699FA,SHA256=847FBF875A7CDD01D0F3DF9B5E86D8DDFECCA1AA3D9DF78A38786EF7B82E9244falsetrue 23542300x80000000000000002132542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:26.297{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B239C6ACBE03D8EA1153DF17ADBD8A1,SHA256=765DA35065C7DE6FB27364E95F8E66B2CC32AAAC93166CD2BFDE4B1128C155ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:27.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69673B2FAD3EF48EF97FE62768FB1B64,SHA256=D0384E9AC3BF82E7A49439D0699E55398CEDBFF8EEC8B14EC9F8CD85641A6AF9falsetrue 23542300x80000000000000002132545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:27.330{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D287E81BE03F75B44A7CCB04D4289CFC,SHA256=66B2C365D01B7CD1B2F573644C8A5B59659A4C61CC3638FE31686AFB62522B53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:27.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:27.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4924B7344C88C553581849EEAEB8D61B,SHA256=90E4813F546EE84EA8C6334F5D86C105A9AD59A29C1C969BC42D0C3F27951F8Ffalsetrue 23542300x80000000000000002132544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:27.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=816900C080BEB9AC314463CC932DA68E,SHA256=BC4F88E5D4F5E5CD96BCA8A5662FAE6123A225AFAB8277E12484CF20414CF940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:27.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E105CB2E107D4A76357D12AE4005DD87,SHA256=D61FA65A35EA24A246D3662576ECFCB77CC1466BEB989FC39463C742D2B85E8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.773{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.773{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424F43164D8B8F33946E043141C0B92A,SHA256=2E6F930055C9E0159B414A55CC6870CFA118E60D6E7407C2F8D7DC83AF2BFF80falsetrue 23542300x80000000000000002132547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:28.349{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B0399009AB509B3FEA0500E6EC6FEE,SHA256=E366101922E494AEEAA027A8AAE95FF38782298BB89D66AE86726ABA59AE529D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.205{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=00086163B2917713E559066ED807655A,SHA256=388EFBE0C4B70FC83067952EDD1C7B65A367AB367D8302FD2A566E6EF46F86F4falsetrue 11241100x80000000000000007558435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:28.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCB1DA1167BBD8234127B065C35A7A72,SHA256=D9D8D88A1F117A583B839B80A1F254E0E02BB268866012F61D70F6D22A6B2087falsetrue 354300x80000000000000002132546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:18.867{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62421-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007558447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.840{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\archived\2021-09\1631294009841.1d20f625-b828-4c49-ba7d-926ef55fe279.event.jsonlz4.tmp2021-09-10 17:13:29.840 12241200x80000000000000007558446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:29.840{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007558445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:29.840{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000007558444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:29.840{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000007558443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACEA53C9C487447B773540ADF6683BC,SHA256=F57C80AAD528AAE57A04FD854E3A4C4F4F48BC1ED0417343BB0811F37E9F8B69falsetrue 23542300x80000000000000002132548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:29.370{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E1704041556BB2CB1757028496DF63,SHA256=395266625DE81025A738CD81C5D709AAA09A7B06CA0F9565C39B77CCFC37E4E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D214CA81E532C862A02B0E72F446E75C,SHA256=449937C53EE25444D193A0B57D907512916C1C5EA33E26C400F9E5390B6D3F1Dfalsetrue 11241100x80000000000000007558451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:30.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:30.854{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B475BA41EA7A643694FDEF7ADEF89BEC,SHA256=297154B91EDFE64B28885532C5D126B5CB0D823E87F6936CF8224D22AB60E765falsetrue 11241100x80000000000000007558449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:30.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:30.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BC57AFBB918364698E8B42EC90FBEC,SHA256=5669934205FD909839AB81AB698FA0678015D01B038450B8F0B3395CA9AECA44falsetrue 23542300x80000000000000002132549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:30.372{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B843457CA6F9F24D83847FD5308E73EC,SHA256=20661FDAFB306884BAA4D8F2EEB700A5481864091D81DBA43CE7059C077F47F1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007558461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.718{4DF467A6-4079-613A-86FA-00000000F001}5896pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.167.137.152;52.13.236.190;52.27.6.50;34.211.89.183;54.148.159.250;35.163.9.121;52.12.55.135;54.70.80.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007558460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.717{4DF467A6-4079-613A-86FA-00000000F001}5896incoming.telemetry.mozilla.org0type: 5 telemetry-incoming.r53-2.services.mozilla.com;type: 5 pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com;54.70.80.82;35.167.137.152;52.13.236.190;52.27.6.50;34.211.89.183;54.148.159.250;35.163.9.121;52.12.55.135;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000007558459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.717{4DF467A6-4079-613A-86FA-00000000F001}5896incoming.telemetry.mozilla.org0type: 5 telemetry-incoming.r53-2.services.mozilla.com;type: 5 pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com;::ffff:54.70.80.82;::ffff:35.167.137.152;::ffff:52.13.236.190;::ffff:52.27.6.50;::ffff:34.211.89.183;::ffff:54.148.159.250;::ffff:35.163.9.121;::ffff:52.12.55.135;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000007558458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:31.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:31.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9360ED638089F0E957EC449C6602E71,SHA256=D358E2A3695DDE8AFACB9D46185155EDCD1D4E0FCA8371A36860A0CC82A7B06Ffalsetrue 23542300x80000000000000002132551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:31.389{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F987AC1802FC9BC5624EE4B1EFB55F2,SHA256=553F92B55E165DB0DF9EDE139128F476EC1B1963C4599A06A539CCB2321FB86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.918{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56946-false10.0.1.12-8000- 354300x80000000000000007558455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.741{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56945-false54.70.80.82ec2-54-70-80-82.us-west-2.compute.amazonaws.com443https 354300x80000000000000007558454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.741{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58656- 354300x80000000000000007558453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.734{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56138- 354300x80000000000000007558452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:12.707{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56138- 23542300x80000000000000002132550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:31.173{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9B2AE5650F8A872458321ACF2A812499,SHA256=F6CADD461762F42950006FF2B226B225118F4159A149A7F9A46B06A58D7CA2EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:32.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F380DAE0F617B23F2DBC92C1C5D29FBC,SHA256=E9565076A4440665FCF79AB69BE04934B97CC1E2DC6723AE881DA3C532186C62falsetrue 23542300x80000000000000002132552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:32.390{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B260D369769D24BBE56225830B2727,SHA256=4B19C603B1263B7CFC4A522CE855DEB5095E055158CAC8611DBB9E4B78677C4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:32.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:32.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=553B25F0BDF5023E8CAD84E08F95AE84,SHA256=25AFFCD1605BC528EEE21F641356DCB4E47D3EF617DCECE79CA151B52FA86F92falsetrue 11241100x80000000000000007558471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.896{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4710081C216FB5D940E013B37B3827EB,SHA256=22E7B87A87DF12E011188D6DB4D3F032DC07246C8DFD152C24F825C1AC38B627falsetrue 23542300x80000000000000002132555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:33.407{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94682CA0B59BBD95980EA8FC3F131D1,SHA256=95A8D5A9B4F60E8AAB4F2074991615235B5292BB4AAEA4A1BB0FEAE90711A872,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.281{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.281{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B742052DBBDDBC53A1CD11967627DE7D,SHA256=52990E9700B00BDB8C6B3099DCAA0F640B0F552D7B22B553D11A0229C20E344Afalsetrue 11241100x80000000000000007558467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:33.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E4FEEA144E3764E5743233FA06CA2B5A,SHA256=5D999676EFB8A9817FF9ADE7113D5CAD43D33B4C46134EBCA9CE9AA38A9214D6falsetrue 23542300x80000000000000002132554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:33.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9445FDDBE4889AA861081A3A3FB200B1,SHA256=C20ADF275AF7575F1CAEE4AB738B402DB47BA725489981967B498886EB68C4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:33.007{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=816900C080BEB9AC314463CC932DA68E,SHA256=BC4F88E5D4F5E5CD96BCA8A5662FAE6123A225AFAB8277E12484CF20414CF940,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:34.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:34.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57630C34A2F5EAC328954EA65E8C173,SHA256=CDC115DA39D033DFB96D0BB848679B95C37F2EA8B2F87D513AEB62E6983FFE6Ffalsetrue 23542300x80000000000000002132557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:34.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC52FF45ABB044FE697E880E15318185,SHA256=9C9164DA4ABE12CBC849FAEEE29AE2EC9F473A2312C3B5170588C2C6AF3995FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:24.792{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62422-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007558478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A407616ACB4EDD42859A0879A6356BD3,SHA256=6213B1206ABFBB5AA69C4FAA723ADDD54FC6AE179742269B39458060A25E9667falsetrue 23542300x80000000000000002132558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:35.410{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A082C68250837D56711D66F597875EDA,SHA256=7A8A1F50D9AC9CD8F9805E64E0C9F26EC340F35353D664EB27814E8A5309B002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007558476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.233{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9930MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007558475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.232{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99302021-09-10 17:13:35.232 11241100x80000000000000007558474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.231{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99312021-09-10 17:13:35.231 23542300x80000000000000002132559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:36.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B1B26EF35FE5FA8939D0611DF87CCF,SHA256=8CEEC0BDE9D7AC4BAA56971737AC36652943F4FB991BA354B9A1A797E7E69DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007558483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:36.246{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9931MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007558482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:36.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:36.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD056207190D5FAB856BBD35C7AD21D,SHA256=9C602F44450214F09B13AFEF303996A85C5BD990005AF9CA32066780730F51C9falsetrue 11241100x80000000000000007558480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:36.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:36.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29A616320BF2CFC1B61DB5E9CA5F66DD,SHA256=583BC92F60FC43E46CA63E95BEF2E55DA4639199A37B06DEFC89364E482E4702falsetrue 354300x80000000000000007558488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:17.994{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56947-false10.0.1.12-8000- 11241100x80000000000000007558487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:37.328{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:37.328{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FBE208CB8ADB7E8CB875CC040BE5AAD5,SHA256=211F21BBBF4DE3FEA762FC4B37D03A3A3A6F70D7FC705E4088747B308D8552CAfalsetrue 11241100x80000000000000007558485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:37.013{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:37.013{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F395A8FDC645AFD2D123A7C72690682A,SHA256=59DE8076BD34A4D02BADBF013613A9F060266806CEAFB8B9933B443FB6F15A8Dfalsetrue 23542300x80000000000000002132560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:37.414{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90802E37DBC4368AAB45A3BF7788DA0,SHA256=A735E788C63BE098DC4F63AC3FB734C5C74B79EB85C16C40EFAB59A5D3819EAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=67BB44CF89B89FA8E463B4CD7CDE894E,SHA256=069C413DC404835211089DCEA32860D7A23F7BDB4CF2B54C8A071B2A52EF2DB4falsetrue 11241100x80000000000000007558492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E79EA8C324F41530E647522DA975692,SHA256=113BF297636DE0D18BFEBD2E9FB54793C0664BB906E2230C58B312D189DFE41Bfalsetrue 11241100x80000000000000007558490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.027{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52102647F1CB25DF72402C883E551730,SHA256=5B6189A598C87250014253B942CAD2724C1AB2D326384243354571EA92BFD1ECfalsetrue 23542300x80000000000000002132563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:38.431{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AA7EE7E2D7BE861278F18CC54ACDDC,SHA256=ACD2F76DB5AC5D7AD9FA5D1D92A731A167CA7D6FC41DF9999C7E0ECF5E031186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:38.300{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46BB766D1229CFC5E0F390C6CBC20255,SHA256=BCEAC719E34D13E0F3C83BFD666BCB770174A5858856680DCE59725F341DE810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:38.300{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9445FDDBE4889AA861081A3A3FB200B1,SHA256=C20ADF275AF7575F1CAEE4AB738B402DB47BA725489981967B498886EB68C4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:39.432{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9931BAC0BDC7333ADFBEB06F4DD312,SHA256=1764B90407962862528D8D1EA027078CBDDE583357A7FFAA898689A2C6FBEBD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FBAC09A59D2B114E390EF76E17FE9E,SHA256=9A3C56A235390ADA386500B49DD1E9EDA5CD319FD16E412AD6363E04BE32F2D4falsetrue 354300x80000000000000002132564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:29.900{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62423-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:40.434{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454C2945C68262EA11472EC8627CB5B0,SHA256=70353D7D6C77053CDAE6CAAC41C6AA51B16CFB1DE406F10B3827963FD9AA1309,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.055{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448E69A1CBB11E6DADB5CC3971786EB5,SHA256=240FEFFBFC11BA2CC1063535F19EE2883864A4DCEA6E9FAFB5C14FAC3A49EFCBfalsetrue 23542300x80000000000000002132567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:41.436{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57ED5BEEB2D5F0E84853D9F227DEBA3A,SHA256=B61D559ADB869D2B8A933FEB0460596D7352381C13125202FA408351F74B49E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:23.033{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56948-false10.0.1.12-8000- 11241100x80000000000000007558504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55C475D09FCB15FBBDD298112931BDA5,SHA256=AC2B0E1C72B3D89D66FC15A2D189367C8FBE07C462EE980815D1FF00036C3492falsetrue 11241100x80000000000000007558502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.184{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD056207190D5FAB856BBD35C7AD21D,SHA256=9C602F44450214F09B13AFEF303996A85C5BD990005AF9CA32066780730F51C9falsetrue 11241100x80000000000000007558500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554AA4B3DA37F31405F1E0FDC221FCCB,SHA256=75BCD3437B9BF5331E3123D39832C7659140E5941B44EB7181AD6E0DD5219F82falsetrue 23542300x80000000000000002132568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:42.437{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D659D69DBA6F98526989036AAF24ABA0,SHA256=36AA285EF1FF3E4375BA6B91F1D4B29C254F2598688D9494E88C32E3F87E6BE6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007558511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:42.900{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007558510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:42.900{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007558509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:42.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:42.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F18E223089867D90CADEB29E07B07D9B,SHA256=9D4D2E851B844D6EB9885D9C0F3D1236E82E8D784E9633D29118C29961546633falsetrue 11241100x80000000000000007558507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:42.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:42.083{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B249F67F1B4D02F148DD3E8151DD0A,SHA256=E60D9D7CAAB2B9B49409691D31F6CAB2C2042F4EB733B892B38174A635FF2DFFfalsetrue 23542300x80000000000000002132570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:43.438{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEDC38A4AAE51F25D0D4142C978B277,SHA256=14F7E04F5813F62BC44AFFDC8089D7AEE3B341734C4CF2A6AEEA554D4537D740,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007558566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.999{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007558564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007558543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007558542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007558539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007558538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007558537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007558536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007558533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007558528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.980{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.965{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:43.964{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55C475D09FCB15FBBDD298112931BDA5,SHA256=AC2B0E1C72B3D89D66FC15A2D189367C8FBE07C462EE980815D1FF00036C3492falsetrue 11241100x80000000000000007558517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.633{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D301E2608878CD367A0D0D73E3813D96,SHA256=FB145E9725B93A6C6E5584D3D7D2DE37256D043B7A5762D17FA79A7E62D31097falsetrue 11241100x80000000000000007558515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62C19F6826E9F79F525E05BCC1053378,SHA256=76AF204F9C430EEE354B45551808CA37F9806511AF5EDBF19E6ABF8167B412BDfalsetrue 11241100x80000000000000007558513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F24E5FDEF3409B141CE35E72CA0039,SHA256=4D57B31936DC9EBA7627B37A021B8B44910DBD6EAD009E7C1E0E03436E753A9Afalsetrue 23542300x80000000000000002132569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:43.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46BB766D1229CFC5E0F390C6CBC20255,SHA256=BCEAC719E34D13E0F3C83BFD666BCB770174A5858856680DCE59725F341DE810,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:34.976{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62424-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:44.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FA855DA3DC2DA32BEB65D2B4909303,SHA256=DA748828F5DED4A7852BFD9A834F52AC3F9152012F23C03E1E7C5D2AFD08115A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F4C497C65765B8D1FCF5375C84FA361,SHA256=DDC10E34950FE257905695490C574874AC7F31ECE87751C0FE899A81DE523940falsetrue 534500x80000000000000007558637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.816{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.816{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007558635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.816{4DF467A6-9248-613B-9D22-01000000F001}32804500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.816{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.816{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.696{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.695{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.695{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.694{4DF467A6-9248-613B-9D22-01000000F001}3280\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.694{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007558609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007558595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007558590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.679{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.664{4DF467A6-9248-613B-9D22-01000000F001}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:44.663{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.133{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0604FAD1F062ABD20A8D6457210C7175,SHA256=755C757412295B236871A6818977A9ACBF1DFFF8493407B1BCB9151C7E880BBCfalsetrue 534500x80000000000000007558579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.117{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.117{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.117{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.117{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.001{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.001{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.001{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.001{4DF467A6-9247-613B-9C22-01000000F001}7700\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.001{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:44.000{4DF467A6-9247-613B-9C22-01000000F001}7700\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007558569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.000{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.999{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:43.999{4DF467A6-9247-613B-9C22-01000000F001}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 23542300x80000000000000002132573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:45.456{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D676934EEC75A01A4CA49F5B0B64332,SHA256=37D55AC47F9D0388695DAA1B0F61F6513250E198EBF7573CA54D1E96186D2803,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007558751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.976{4DF467A6-9249-613B-9F22-01000000F001}7780\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007558730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007558714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007558709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.961{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.946{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.945{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000007558700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.399{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007558699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.399{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007558698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.399{4DF467A6-9249-613B-9E22-01000000F001}23921448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.399{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.399{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007558691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007558689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.278{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007558674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007558658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007558657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007558652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.262{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.249{4DF467A6-9249-613B-9E22-01000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 18141800x80000000000000007558646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:45.246{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007558642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.246{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265FC12AB6255D57DD19927591014EEF,SHA256=E5905954EA93C599FE37F89019CAB1E413B7754B8494C52DFB06FB6D85EABCBDfalsetrue 354300x80000000000000007558641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:25.763{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56949-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007558640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:25.763{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56949-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000002132574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:46.458{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E9D1A85C4E1A5AEEA244D12391E3C6,SHA256=CD97AEA32893DDBCD75D7D431C2986268E78DB7D6863E729A3F7A86A6722AF36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.859{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007558819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.859{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000007558818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.797{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007558817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.797{4DF467A6-924A-613B-A022-01000000F001}57123448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.797{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.797{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007558810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007558808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.675{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007558788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007558776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007558771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.660{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.645{4DF467A6-924A-613B-A022-01000000F001}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:46.644{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152B8A42D2C775AFDD6B8CA8AE92C078,SHA256=796873669C8E2C80F3F08495463E4A4C138F71AF9D017777A0EEE34F8CA7C699falsetrue 11241100x80000000000000007558760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF33233B225E50CCA2CF9C67FFD10B10,SHA256=11C8EB1052FB128CAFBE0F2F26525D611218D5BEF9462381EBC3908F143006BEfalsetrue 11241100x80000000000000007558758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.376{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A49E942C584B4F63219DD41F4F5E201,SHA256=3A99120DFCC7A62032236114C809D1831B0756F0B54098665F11D558171C9070falsetrue 534500x80000000000000007558756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.098{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007558755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.098{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007558754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.098{4DF467A6-9249-613B-9F22-01000000F001}77801776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.098{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.098{4DF467A6-9249-613B-9F22-01000000F001}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002132575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:47.480{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C43A8677714628FDDA5B588CA8C719,SHA256=9D6CB0A393C5CB7432C707E9789B6A8B8B3815C013E4766BD3545062C296E1CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.711{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.711{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E6D75825238758036D4BC814B737BC,SHA256=6D648885508229164066D75A6E44522E840E1C0A9F98666DE010A2A423EA58CAfalsetrue 11241100x80000000000000007558882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A595AE532436F29000CDCABD12E09748,SHA256=DF7C0DEE32BD0C4F03A3BDE1A7FDDB12FF77BB0E9CC9A73F98E91AC578AC6113falsetrue 11241100x80000000000000007558880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46F92FDF903CCC14E5FFF0E67EB67483,SHA256=11C21A74C6CF14DF93E68351E368732FF99408DCEB4DD43AD52CEF900111C506falsetrue 11241100x80000000000000007558878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85637D5F219A15949FCF72C52C534085,SHA256=B358D558A2925B6A5A4FFD5DDACB06FBB86DF2E6B00B88FC1E2617E8F7F445AEfalsetrue 534500x80000000000000007558876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.496{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007558875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.496{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.496{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.496{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007558872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007558868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:47.374{4DF467A6-924B-613B-A122-01000000F001}5132\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007558866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007558851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007558837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007558834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007558829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.358{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:47.343{4DF467A6-924B-613B-A122-01000000F001}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:47.343{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007558948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.707{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56951-false10.0.1.12-8089- 11241100x80000000000000007558947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C2D67BC4A237D53482B60A8CA37501,SHA256=063E9A165009DC5AEEAB4F5F59194656B55E11A836F427510549BE16E76CB2BAfalsetrue 23542300x80000000000000002132576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:48.500{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59F56116516E97F22E0D7A3FFB7FED5,SHA256=597750F48CB5128A325FC1636B99DCC95FD2B54A6AA838326A57BCB27FBF06C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.369{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D6BA86D036348EFF87E6FEB3701D770,SHA256=3B4B0EA3A876403CD2220717E459D76849255E9568AD3E35F1A9313F3D85643Efalsetrue 11241100x80000000000000007558943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3613CCC0B7B51176988A5A67D504ACA,SHA256=A30F0A53633A9D6C6D310C718E19D6C04C00ACA6FEF29CBBB110FF86EE4E3431falsetrue 534500x80000000000000007558941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.173{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.173{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007558939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.173{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007558938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.173{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000007558937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:29.055{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56950-false10.0.1.12-8000- 734700x80000000000000007558936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.057{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007558935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.057{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007558934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.057{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007558933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:48.057{4DF467A6-924C-613B-A222-01000000F001}6268\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.057{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007558931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007558930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007558929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007558928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007558927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007558926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007558925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007558924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007558923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007558922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007558921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007558920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007558919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007558918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007558917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007558916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007558915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007558914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007558913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007558912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007558911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007558910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007558909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007558908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007558907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007558906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007558905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007558904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007558903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007558902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007558901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007558900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007558899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007558898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007558897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007558896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007558895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007558894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007558893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.042{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:48.027{4DF467A6-924C-613B-A222-01000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007558890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007558886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007558885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:13:48.026{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007558952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:49.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:49.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7551F4F54E54E58B2C2DA87562036C0C,SHA256=C7C99B19B72749312DFE95F17DA3FE9F691368D276ED41843539C755898ABA7Afalsetrue 354300x80000000000000002132580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:40.816{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62425-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:49.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD59EA51C952F6304ECF96ABF8FE23B0,SHA256=BABB6E0F9306544DC4B8F5DF1C814CC3BCCE24F3E1F7039463BC7F9F5C5FACB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:49.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:49.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E81F556EA306572E2CF3F18D69A8D4,SHA256=4A4F936D078FBC34EB77375A502B35DED4B296CA418ADB908FAEEAD9D655400Afalsetrue 23542300x80000000000000002132578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:49.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA541B0C2F721FF3CC4850671DE982D0,SHA256=4F3C794EB6AFF05DE9CAD35585FBC05C215C659ECA827CC7A58AB0D1C9417EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:49.183{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8730305B909199F9605A6B2A4163F6A5,SHA256=D166BF52F8FE9D735E4E335E62822B29168F5F90CA6C96484B38AE7B040ED95A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:50.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:50.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DD19A598DFAD81E3080CF850A345BD,SHA256=CD370EC9A1690F19DE63E735638A25738D0594D2F429DFDEA3DB431B19B49CC4falsetrue 23542300x80000000000000002132582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:50.884{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA541B0C2F721FF3CC4850671DE982D0,SHA256=4F3C794EB6AFF05DE9CAD35585FBC05C215C659ECA827CC7A58AB0D1C9417EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:50.519{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7B1105E0269071439EB7BCC56A716A,SHA256=66578CBE36440E11E48E4E21A13F1DA18AB47D16B3A842CC5BAAF60652DA9936,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:51.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:51.652{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D0339DF3E53B3778BF6918AF974D16,SHA256=681209ED06297546CC0810134BF7AA9E4F341EC5156870DBF41332D2376CEA97falsetrue 23542300x80000000000000002132583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:51.521{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6DC4E6B82E61AEF7B8129B79A315C4,SHA256=EE2EFA5FC48421987D0A08BFAEE19396742908B1E3C349499698BDDB7FE90388,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:52.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:52.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C42DAECCDB4A6C4C83EDC8208FA895A,SHA256=D6FC91037A0BFCA14E3CF07B0278DF0B945FE7C6D648804E4D58AC715756503Dfalsetrue 23542300x80000000000000002132584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:52.539{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0791E4E8088A0221D9435537C9C89417,SHA256=35B3B9BDDFEF695D6B3455556D23C7995A6487B9A8EE84F08BEE4B58F34C522B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007558958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:52.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:52.687{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF3B1B89CF3A40835F4FB19EF35C1F62,SHA256=8CB4350732351B12DD2E3ABC2507EDCCCE3ED87A7CDC766E32C8CB4F5046C28Efalsetrue 11241100x80000000000000007558973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5D874810C1FF0DFA0F7578DF5BEA46,SHA256=F5CE00DD01343D79C58F9C0527E0BE73EB05B59D316C1A305614362CB7D97154falsetrue 23542300x80000000000000002132585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:53.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB23F5E4990ED57CAC4ADFD8F6501E8,SHA256=F663A0F5687C4B7BC62469B38DC5CC4AA892546D1AD9AC059441A562AD5FEB3F,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000007558971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.664{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=0A605BE8B8405A0A14A49589E0EFFB3F,SHA256=15D269987FE259175BC25F153645756813A1E2A65F5A09DF9392FD231228B143true 10341000x80000000000000007558970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.664{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.664{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007558968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.664{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-0A605BE8B8405A0A14A49589E0EFFB3F15D269987FE259175BC25F153645756813A1E2A65F5A09DF9392FD231228B1432021-09-10 17:13:53.664 10341000x80000000000000007558967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.664{4DF467A6-3F58-6132-2B00-00000000F001}29483972C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007558966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=582D6F453A1DC91764282E792ECF94EF,SHA256=7FB7988B2D32493AF4A58B209C83A249770148AD44205BCE417FB8922F939BB4falsetrue 11241100x80000000000000007558964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007558963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20EBB17C456015FA59506701AFC08F45,SHA256=B65AA589B34A14A026FCFD5BE306F20A4A6AA0861438B8E7398B76E90CEE9228falsetrue 11241100x80000000000000007558962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007558961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:53.183{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C78DB26E99A2B848886E9904CD862E,SHA256=54ECCAFB16023AE9E3FF53ECF7FB37D5460FA846ECAD0450811E0052E55325C3falsetrue 11241100x80000000000000007558976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:54.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007558975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:54.762{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B29B0B9D191C89B0F11A99EE51AA7C,SHA256=3FC247FAFE9D38DA705312A46E8EA5C662370200EAC80E05694B7EB0DF889100falsetrue 10341000x80000000000000002132600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.696{AEE49BD1-9252-613B-BC1B-01000000F101}17962924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9252-613B-BC1B-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9252-613B-BC1B-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.574{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9252-613B-BC1B-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.559{AEE49BD1-9252-613B-BC1B-01000000F101}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:54.543{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F523B953CD91413094061C13B1D06673,SHA256=383236692BEF9A23A24B8F41C1608EED6DFE92F3B90ACAC392D11856AD01D57E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007558974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:35.029{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56952-false10.0.1.12-8000- 10341000x80000000000000002132658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.912{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9253-613B-BE1B-01000000F101}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-9253-613B-BE1B-01000000F101}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.796{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9253-613B-BE1B-01000000F101}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.792{AEE49BD1-9253-613B-BE1B-01000000F101}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.791{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046CFE44F2DCE11C48BC79F8C6C939DB,SHA256=FC2FDF864B95CD4866D16B4790957ECCF42EE610D48EC9E7CD9240262247F560,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:46.827{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62426-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007559449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.998{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 13241300x80000000000000007559447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007559441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid 734700x80000000000000007559440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 734700x80000000000000007559439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 13241300x80000000000000007559438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007559437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.982{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 11241100x80000000000000007559436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.982{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.979{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 12241200x80000000000000007559433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.978{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\|y 11241100x80000000000000007559432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{84B18CAD-1A34-4DA3-B9A1-31FE7B1F04CF}.tmp2021-09-10 17:13:55.961 734700x80000000000000007559430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msxml6.dll6.30.14393.4530MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=10A0259030F41545ECAFB6A595F7C457,SHA256=CF160C3ADCE5AA2357697A02C6FC38071CBE1818B036F1C67F746868EB7F814DtrueMicrosoft WindowsValid 11241100x80000000000000007559429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 734700x80000000000000007559428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007559427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 11241100x80000000000000007559426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 734700x80000000000000007559425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000007559424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid 734700x80000000000000007559423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid 10341000x80000000000000007559422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 734700x80000000000000007559419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007559418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 734700x80000000000000007559417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 11241100x80000000000000007559416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 734700x80000000000000007559415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007559414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.961{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x80000000000000007559413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKCR 11241100x80000000000000007559412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm2021-09-10 17:13:55.945 734700x80000000000000007559411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x80000000000000007559410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x80000000000000007559409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 10341000x80000000000000007559408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F48-6132-1600-00000000F001}12485592C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=E017DCEF6B1BA20CF66F3CF38B2FC32D,SHA256=2238028A308D06062A2B169BCCBD7ACC60631E51306912DBCBD2A7898788FDB9falsetrue 10341000x80000000000000007559405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=BFAA140FF25C5ABC02447F0C7C83DEB5,SHA256=70E0AFD7EC416AA614C131CB090C4BF71E45EDFD9D23BCAAC0F57077358FB55Afalsetrue 734700x80000000000000007559403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 10341000x80000000000000007559402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=F792F37980C535FB2C5729DD96D01DF8,SHA256=4AD38CEBC7D66478810659341B243FB64569C80A9D854F934990E998C38C56E8falsetrue 734700x80000000000000007559400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007559399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007559398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 10341000x80000000000000007559397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=5A0D41A2997D863B0E4EEC4EDEF0200C,SHA256=9099885AC358E410475A94CAC3DBAECC5B45D169EDB7F8E5CE48C21F2E25E077falsetrue 734700x80000000000000007559395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007559394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007559392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 10341000x80000000000000007559391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=BD3ACECFFD818BEFE0DC8404C70A8EC6,SHA256=5E0598E9893AEBBF9E5FA6CCFC0BD214B499E38543F1C44DA0A44194F2BD7928falsetrue 13241300x80000000000000007559389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.945{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\|y Binary Data 734700x80000000000000007559388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007559387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007559386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.945{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007559385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007559384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007559383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 12241200x80000000000000007559382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000007559381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007559380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000007559379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000007559378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000007559377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 10341000x80000000000000007559376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=69137585505F00B539BE82C295157DFF,SHA256=3000378FEC04C9340BCC78AFCD8FDA5E7CA5AACC599659A91A64A73787B4F5F5falsetrue 734700x80000000000000007559374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007559373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007559372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007559371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007559370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007559369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007559368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007559367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 10341000x80000000000000007559366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x80000000000000007559364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 13241300x80000000000000007559363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 734700x80000000000000007559362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 13241300x80000000000000007559361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x80000000000000007559360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007559359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007559358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000007559357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007559355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 23542300x80000000000000007559354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=39A9FB85310B41064D147D9A76B06CD7,SHA256=CF12DCB927C39FBD93F1F237659C5BBCBAC16D4412080A800E5A5B622AC2FD2Ffalsetrue 10341000x80000000000000007559353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007559352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007559351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.887{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x80000000000000007559350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 13241300x80000000000000007559349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000007559348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007559347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007559346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000007559345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000007559344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007559343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007559342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000007559341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 10341000x80000000000000007559340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000007559338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000007559337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 10341000x80000000000000007559336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=10C2F44AFB6F9D7EDD3ACCB778015DBB,SHA256=902D9B813512ADA95F77940D76C28F64507B6DF5596640BA7E0DF3587A026601falsetrue 10341000x80000000000000007559334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.929{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007559331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 12241200x80000000000000007559330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007559329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007559328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007559327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007559326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007559325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x80000000000000007559324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 12241200x80000000000000007559323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000007559315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007559314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 23542300x80000000000000007559307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=530D4240AD1056C0FE8CFAF1EE599806,SHA256=3AED692C2FC306F0C7B5317A71CEB800FD316990DBA8D1A4DFDDDFD07BBD1DCAfalsetrue 12241200x80000000000000007559306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000007559305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x80000000000000007559304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007559302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000007559301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000007559300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007559299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007559298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x80000000000000007559297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000007559296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000007559295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.914{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000007559294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=20374BF312C45305E81879CE123AEE71,SHA256=6F4A8B39DEDDEEA39F07505FDFD52B7F863C52DCED7943C85620EAD395937C74falsetrue 734700x80000000000000007559292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 13241300x80000000000000007559291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.914{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data 10341000x80000000000000007559290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=ADAD3727E6408999823829483E952E0D,SHA256=8FE0EC44C97C40B22861C5BF25F2D37FAA3C873A3AB064A6023E89FD422ADAD1falsetrue 10341000x80000000000000007559288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.914{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000007559285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities827 15,134 15,2086 15,1074 15,2413 15,2402 15,129 15,2159 10,1001 15,103 15,2324 15,121 15,1000 15,185 15,1445 15,2401 15,1338 50,1338 10,951 15,1282 50,226 15,999 15,1282 10,831 15,2430 15,1338 15,1282 15,1128 15,132 15,2087 15,2328 15,850 15,1039 15,998 15,828 15,829 15,108 15,2323 15,335 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,671 15,111 15,1002 15,669 15,332 15,291 15,1249 10,70 50,2327 15,184 15,120 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000007559284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000007559283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds018409363,20039442,40920709,21378256,19972417,19200086,17134338,34968335,8758344,24131419,19677900,23979203,18375312,18658649,17634580,51655840,18658648,19677907,17183040,17698823,21378211,17650967,18658650,18948503,34968340,18674530,18637650,21313610,18948102,17126295,9319450,18409416,36517339,18948101,18400089,17634578,36761792,34968342,20979747,21378249,21030802,50890251,34968338,34968337,24470607,34968339,7690258,34968341,38013077,6366290,8448079,36274763,34968589,24406167,17182941,20027008,20027009,17182979,7690254,23205313,9176926,17622912,8263521,5850584,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000007559282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000007559281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000007559280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000007559279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007559278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000007559277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000007559276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000007559275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000007559274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000007559273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000007559272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000007559271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000007559270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000007559269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000007559268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000007559267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007559266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007559265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007559264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007559263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000007559262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007559261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000007559260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007559259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000007559258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000007559257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 10341000x80000000000000007559256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=D1A5E5F2A61E209B1BD5C461881A77A1,SHA256=DCCFCAE10C28722BEFBD11A683614793863F391347556A73D8E596AFC7909FA0falsetrue 12241200x80000000000000007559254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.898{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\PotentialDataLossInfo2 10341000x80000000000000007559253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=F0A7A8071EEBF6BE0F1E6C6CDCD572D9,SHA256=4F394A8D271486ADF48A071B061BD1C93FE8F31B4F6924424D911911655E78D7falsetrue 10341000x80000000000000007559251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.898{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 734700x80000000000000007559249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13801.20178Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=53C631125C4AB3BFA9F7DB70B4B02EFA,SHA256=4F0593A374FE614EBBFAB37A9C39515D695ABA2EF3ADDD72BD912A83426789FEtrueMicrosoft CorporationValid 734700x80000000000000007559248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 10341000x80000000000000007559247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.882{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 12241200x80000000000000007559243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000007559234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.882{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 11241100x80000000000000007559233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.880{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{A030F060-70C2-453B-9F34-02D4233461CD}2021-09-10 17:13:55.880 734700x80000000000000007559232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.880{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 12241200x80000000000000007559231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007559230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007559229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 13241300x80000000000000007559228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.879{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 12241200x80000000000000007559227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007559226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000007559225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x80000000000000007559224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.879{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\7060 12241200x80000000000000007559219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.879{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\7060\0 12241200x80000000000000007559218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.879{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\5676 12241200x80000000000000007559212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.878{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\5676\0 12241200x80000000000000007559209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:55.878{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3856 12241200x80000000000000007559203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.878{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3856\0 12241200x80000000000000007559201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.878{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007559200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.876{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 12241200x80000000000000007559199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.861{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000007559198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateConsentTime(Empty) 13241300x80000000000000007559197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007559196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateDWORD (0x00000000) 13241300x80000000000000007559195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateConsentTime(Empty) 13241300x80000000000000007559194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007559193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateDWORD (0x00000000) 13241300x80000000000000007559192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateConsentTime(Empty) 13241300x80000000000000007559191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007559190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateDWORD (0x00000000) 13241300x80000000000000007559189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateConsentTime(Empty) 13241300x80000000000000007559188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateSourceLocationDWORD (0x00000007) 13241300x80000000000000007559187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateDWORD (0x00000001) 13241300x80000000000000007559186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentConsentTime(Empty) 13241300x80000000000000007559185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007) 13241300x80000000000000007559184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelDWORD (0x00000002) 13241300x80000000000000007559183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserCategoryDWORD (0x00000002) 12241200x80000000000000007559182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 734700x80000000000000007559181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x80000000000000007559180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.861{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache 12241200x80000000000000007559179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.861{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007559178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 12241200x80000000000000007559177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.861{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007559176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13801.20442RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=4AADCAFE0937BFDD2C0E089B37549CD7,SHA256=8D12811470721C2A4775AE2CF2B236C5E16FD4215D70E63C768BD9F4ADBC364AtrueMicrosoft CorporationValid 734700x80000000000000007559175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x80000000000000007559174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007559173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 11241100x80000000000000007559172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631294035866743500_F8692760-5F22-43EE-86C3-69A0DC5B5346.log2021-09-10 17:13:55.861 11241100x80000000000000007559171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631294035866275700_F8692760-5F22-43EE-86C3-69A0DC5B5346.log2021-09-10 17:13:55.861 734700x80000000000000007559170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.55555.10000Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=2357126682CE4CAB2E5963883400D41D,SHA256=878BF317D30612C970E2EFDF93C3F22BF360D0304CFB54E96D638E8A5DE24E51trueMicrosoft CorporationValid 734700x80000000000000007559169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000007559168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000007559167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid 734700x80000000000000007559166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid 734700x80000000000000007559165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.861{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DWrite.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=1875083243EE498D0B2BB6B025AD7520,SHA256=A3FA592126642537BF6F0E4E9750A43A899525FE616DE899ABD7F26A9E7620C4trueMicrosoft WindowsValid 734700x80000000000000007559164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x80000000000000007559163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 10341000x80000000000000007559162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid 734700x80000000000000007559160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid 734700x80000000000000007559159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000007559158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007559155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007559154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 734700x80000000000000007559153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d11.dll10.0.14393.4467 (rs1_release.210604-1844)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=F940A91B13592184F228ECC14D8D9358,SHA256=2BC05A4D09CDBAB8DB5F767DC95F31B2CA324928A94F004C7C2968E3E9E635E2trueMicrosoft WindowsValid 734700x80000000000000007559152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid 734700x80000000000000007559151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.845{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid 13241300x80000000000000007559150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 13241300x80000000000000007559149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007559148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000007559147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-3EE5-613A-21FA-00000000F001}24282832C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000007559142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000007559141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.829{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 13241300x80000000000000007559140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x Binary Data 12241200x80000000000000007559139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 734700x80000000000000007559138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 734700x80000000000000007559137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000007559136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000007559133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000007559132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-3F48-6132-1600-00000000F001}12487400C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000007559129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000007559128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{F8692760-5F22-43EE-86C3-69A0DC5B5346} - OProcSessId.dat2021-09-10 17:13:55.814 13241300x80000000000000007559127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.814{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000007559126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000007559125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 13241300x80000000000000007559124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 12241200x80000000000000007559123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124 734700x80000000000000007559122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000007559121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.798{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 734700x80000000000000007559120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13801.20796Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=DEAB06C2DDF8959448455176D2A1754E,SHA256=49708B1D39D76B2E9F096B95BCB30B6601D3B5C8E1D84830740EC25FE8F38F39trueMicrosoft CorporationValid 734700x80000000000000007559119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000007559118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000007559117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13801.20808Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=58F3352E3A0867817F759EA7940F2E10,SHA256=86AFDD63CFCA5B03D5265A2828F073CA401FE00B555B40AD9A0F7A193E200315trueMicrosoft CorporationValid 734700x80000000000000007559116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13801.20442Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=AF5E26C38079AF31CCAA732B6A351A0D,SHA256=C0BBDC787DCD21EF78B89B6C18C81A1ECC8F5B4D3C4E2F412525FD70039E667DtrueMicrosoft CorporationValid 734700x80000000000000007559115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=42CCB21CAB1B66AA9C7FF859A4BED97B,SHA256=76EFA67F0B7EA66DEAB42DB051DBCBA4B05EC04032B1D8AAE5E7761D7C6CA24FtrueMicrosoft CorporationValid 734700x80000000000000007559114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.782{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000007559113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.781{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=F4FDCEA65C429F01EEC45163F005B5E3,SHA256=F3FF96E7EBF9E4BB43170456395F09C1DAB832B1F66EBFAFF5EF54344DB929D5trueMicrosoft CorporationValid 734700x80000000000000007559112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.779{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000007559111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.778{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000007559110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.778{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007559109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.777{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000007559108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.777{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007559107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.776{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007559106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.776{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007559105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8trueMicrosoft WindowsValid 734700x80000000000000007559104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=33E67D19ED73BD77FAB770F3677363E0,SHA256=3A7198AC7F995AE9FCA91372AFC3719C04417D638EE37EAA3162DE0A99F0F6B9trueMicrosoft CorporationValid 734700x80000000000000007559103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000007559102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 734700x80000000000000007559101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13801.20688Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=A4816E74F5F4F3A1D9B6637EB47C8B23,SHA256=9447582F286D97A4707BB8A6847398637D742E5ED653804EE94E495E3E3BF339trueMicrosoft CorporationValid 734700x80000000000000007559100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.761{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13801.20854Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=88AD4C5ED7EE51A82DDB8DF471E749B6,SHA256=E21BE93D40924965E74C6D1619F3C9AEE1FE09F535C8260B61387984DF55BC2DtrueMicrosoft CorporationValid 12241200x80000000000000007559099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000007559098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000007559097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000007559096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000007559095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.745{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+498a3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5206d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5132f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000007559093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000007559092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6Binary Data 13241300x80000000000000007559091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14Binary Data 11241100x80000000000000007559090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnk2021-09-10 17:09:50.434 12241200x80000000000000007559089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14 12241200x80000000000000007559088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\6 23542300x80000000000000007559087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CVE-2021-40444 Malicious Docs.lnkMD5=7C321ABA25A676CDDB3D18DBB189F8D2,SHA256=A181FCC522550FE3491BC4464F780F092B2F9EA66ABFEB89921AA94D1F373319falsetrue 12241200x80000000000000007559086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000007559085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007559084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.745{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 10341000x80000000000000007559083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.745{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5eac4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5fb06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+178f5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000007559082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.745{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4177c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18b13|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18013|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19af2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 12241200x80000000000000007559081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007559080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\MRUListExBinary Data 13241300x80000000000000007559079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\4Binary Data 13241300x80000000000000007559078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\17Binary Data 11241100x80000000000000007559077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx.lnk2021-09-10 17:13:55.730 12241200x80000000000000007559076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx 12241200x80000000000000007559075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000007559074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007559072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007559071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007559070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007559069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007559067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007559066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007559065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007559064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\PointsBinary Data 13241300x80000000000000007559063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007559062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\DisplayName3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx 13241300x80000000000000007559061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\PathC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx 13241300x80000000000000007559060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\TypeDWORD (0x00000000) 12241200x80000000000000007559059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862} 10341000x80000000000000007559058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8f4a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+822c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-D3A4-6138-36CD-00000000F001}67805852C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7ae3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007559056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007559054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000007559053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a667-0x3c7bb00c) 12241200x80000000000000007559052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007559051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007559050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 734700x80000000000000007559049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007559048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000007559047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007559046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000007559045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.730{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007559044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000007559043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007559042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000007559041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007559040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007559039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000007559038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007559037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007559036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000007559035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007559034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x80000000000000007559033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007559032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007559031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007559030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 734700x80000000000000007559029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007559028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 734700x80000000000000007559027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007559026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000007559025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007559024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 734700x80000000000000007559023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 734700x80000000000000007559022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13801.20634Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=89F83DB0358154696068C1A1A2C48B76,SHA256=97A0AC1E7CF73E000BC13BF560BA088C79797604E5E64F21B6DB843CD16742FFtrueMicrosoft CorporationValid 734700x80000000000000007559021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007559020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007559019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007559018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007559017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll10.0.19041.1074 (WinBuild.160101.0800)Client Virtualization SubsystemsMicrosoft® Windows® Operating SystemMicrosoft CorporationAppVISVSubsystems64.dllMD5=90B77DF9501D41C1FC3B9B08BF739CBD,SHA256=B767361DEEBE62459AD8D6124C9E94B0A20F09EA1C53F6111B7B71252B703A04trueMicrosoft CorporationValid 734700x80000000000000007559016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007559015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000007559014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007559013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007559012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007559011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 734700x80000000000000007559010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007559009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000007559008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 734700x80000000000000007559007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x80000000000000007559006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LaunchCountDWORD (0x00000009) 13241300x80000000000000007559005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{163ACCA6-2ADB-4EB5-A139-3AF036D57823}\LastAccessedTimeQWORD (0x01d7a667-0x3c793e20) 12241200x80000000000000007559004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000007559003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499trueMicrosoft CorporationValid 13241300x80000000000000007559002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007559001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\JVAJBEQ.RKRBinary Data 12241200x80000000000000007559000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.714{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000007558999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-3F48-6132-1200-00000000F001}8525360C:\Windows\System32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007558997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007558996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.714{4DF467A6-3EE5-613A-21FA-00000000F001}24283716C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007558995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.718{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx" /o ""C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 734700x80000000000000007558994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 734700x80000000000000007558993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 734700x80000000000000007558992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 734700x80000000000000007558991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll16.0.13801.20442Microsoft Office Shell Extension HandlersMicrosoft OfficeMicrosoft Corporationmsoshext.dllMD5=08AB004F0278B5B461F732D7740A5874,SHA256=A8C1819BFD9FAD66B3360E7757F63A18E1C7D961217B01DBD7C0764217D4027CtrueMicrosoft CorporationValid 12241200x80000000000000007558990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\RegisteredApplications 12241200x80000000000000007558987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000007558986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 12241200x80000000000000007558985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids 12241200x80000000000000007558984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000007558983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.698{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.530{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007558980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.530{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007558979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.530{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.530{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007558977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:55.530{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000002132614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9253-613B-BD1B-01000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9253-613B-BD1B-01000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.174{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9253-613B-BD1B-01000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.159{AEE49BD1-9253-613B-BD1B-01000000F101}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:55.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929F2AFFAA9D0FDA16A4D3DC888894E4,SHA256=0514ADCB2E1E758AB41AF4149C389900C09FC88C7A8D58D97A048687624D7843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:56.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B81D1DD4BF39E1D9DF322522775E2AD,SHA256=1BCCDBA5B1BE411B806F0E39DB13A0FABCD2F67ACFEA7FBBB0F16D49D222CA3E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007559902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 22542200x80000000000000007559900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.312{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 10341000x80000000000000007559898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.310{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.309{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 10341000x80000000000000007559893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.018{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=32770A7736E817D30291E11B10BD0BC2,SHA256=8DEE0EA9011174690328089AC5F8B227FA4571431F35DC724DB0CC9FCEA990DBfalsetrue 10341000x80000000000000007559889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.980{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.015{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.979{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 10341000x80000000000000007559886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.978{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.014{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.976{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.004{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.975{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 10341000x80000000000000007559881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.996{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 11241100x80000000000000007559879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007559878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.995{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.975{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.974{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=994516AF8ADCD21EA23E6EF74DE88A66,SHA256=C594EC9AAA3E4062989DF54C1F7B45F5BB869D8468DD124D80BF2DB4869E5A18falsetrue 10341000x80000000000000007559870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.938{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=09E0A167330464FFA21CE772919D53DB,SHA256=7D170456BDB27539E262B9DF6B7BDFD6A9FC064AD5DE450F3F0BE0978427E2A1falsetrue 10341000x80000000000000007559866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.927{4DF467A6-9253-613B-A322-01000000F001}4124pawevi.com9003-C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=3AEE3F67110797A9FD4EBB7ADCA8ABC2,SHA256=277C8D2EFD45CB1A902267F3BD445CDE52B1BC137D292D8C89F86B95684D51E4falsetrue 10341000x80000000000000007559862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.884{4DF467A6-9253-613B-A322-01000000F001}4124login.windows.net0type: 5 a.privatelink.msidentity.com;type: 5 prda.aadg.msidentity.com;type: 5 www.tm.a.prd.aadg.trafficmanager.net;::ffff:20.190.151.7;::ffff:20.190.151.70;::ffff:20.190.151.133;::ffff:20.190.151.68;::ffff:20.190.151.132;::ffff:20.190.151.134;::ffff:20.190.151.69;::ffff:20.190.151.8;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=7F3B29A402432B0705BECFB070B92C8D,SHA256=5A1058799674A37CA315623CA7F0D61D764489815E1055C3137BDC96D1D2BA03falsetrue 10341000x80000000000000007559858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007559857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.797{4DF467A6-9253-613B-A322-01000000F001}4124support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:23.192.208.23;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007559856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.959{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=715680FB99211163CDBE6490EA0ED1A3,SHA256=7BE59C3B10E66EDDA67418D2D3BF22B8C248DDCD2C5E017CBEB12598A20F0A96falsetrue 10341000x80000000000000007559853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=D0133B1E86CAA924863BDE6EB96028A1,SHA256=4A176BE42A80ED5E8921B10149DF3400022A137D7DDFB7F0612402D5508875B4falsetrue 10341000x80000000000000007559851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=01ECA7A2068C59FD53163D687A54BB05,SHA256=03C9CEB8CD1B8838FA8E7DFD74EBF8BF9637DFF788F038CA12958182DFC0AC4Afalsetrue 10341000x80000000000000007559849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.944{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=5A3A840FE6836CD4D365F1F52DC85141,SHA256=1D3A7E0CCB4F517A91F02BC11222794B5FBBDBA99EA1AC1D2D4BB52FD8EE11EEfalsetrue 10341000x80000000000000007559847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=659A4926A2FDC941DC67E83DD601DFD6,SHA256=D08FDEA7FD073AD0F7C1EA1C61A628DD14D1F7E1124242B3084FF8D023AF10CFfalsetrue 10341000x80000000000000007559845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=7AFE4309BD5EB34D83D9BA8685DA1159,SHA256=1F273D66AFB34E1DEB908AC4A4D4C3AAEA06E456A7E8DA3BB6F5912C93FFD4EAfalsetrue 10341000x80000000000000007559843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=C9E854B38CA82EFC34373E51222A1EC6,SHA256=98F06FF36D41A5797E41BB6AB5100A035A3BDA2698255CAF8D2E88C711C081B8falsetrue 10341000x80000000000000007559841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.928{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=B2BB48095C3B129B92EC44E1C08DD6CA,SHA256=62C6FEA95DB3DE1B9395C12792FCC391730BA6350435FA2B4224FD80B048E140falsetrue 10341000x80000000000000007559839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.912{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.912{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=BFF4D83EEECE9E69B439369933E97EFB,SHA256=BA1BE3AFB13841273D7446E2DE97B47A360504F9B33410DE8BB4F7EF36D7654Ffalsetrue 10341000x80000000000000007559837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.912{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.881{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007559835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.881{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.881{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.876{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.859{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.859{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.859{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDF34B64AF277A7F87D15DC12D33BEEF,SHA256=8B3B8ABBA042C4355F04C41C762F89666BB68401CE301DD14491B0FFBF6FCA6Ffalsetrue 11241100x80000000000000007559829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.859{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.859{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007559826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007559824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007559823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042EEC7E9D7A019A1293B3AD6B0F04EC,SHA256=C674ACDC388ECBFCC8273D2344F333C3AA8A868D8082177D29DBFAEEC18FDB95falsetrue 11241100x80000000000000007559821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007559820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007559819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=D87DAE15F824FD7A777B163DED87A96E,SHA256=9A48A225982CEF9DFADE822FD2517197CD2B9770132AF00AAB3AACFB14B85CA7falsetrue 10341000x80000000000000007559817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=EB768DA5CC5A8F0363C229E43FF8E928,SHA256=18E2E18E52FAF6ACDD2F3ED69C55F4E85CAB133E3A0B02528BBFD9D8BC1C1864falsetrue 10341000x80000000000000007559815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=F40F482E0847EA4D6B8AD54F563FB75B,SHA256=99C2CBCB1AE26E835C1E29834CAB37C469188EA07476364AEE8171735B097647falsetrue 10341000x80000000000000007559813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.828{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=A7F61A60BF4B916978BD4BD3A5181F62,SHA256=4EF0C8ADEC225B4AD3E69D356515E345F7B905EBD1E4EE7F0AF21EB5BE4A099Efalsetrue 10341000x80000000000000007559811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=49903B98C7740AC136CE86A13F902500,SHA256=6841E89A64BFCC9971618D01FCD39C7EC9016F15A5D58B1BE8555D0C3B5BAA34falsetrue 10341000x80000000000000007559809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=A7521507D9CB0DC151D5C9E5AC3F7E5E,SHA256=119B77187A90234D14AD5CF69FDEBB5BC105817A8A8E4B6B582889AB6DEB92D4falsetrue 10341000x80000000000000007559807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=60B88C742D6EA986F1929899CF444DC9,SHA256=72A0709FA295B43AC9E895F704F4ACDBD445AEE3E5F360AC99793C44D55A1902falsetrue 10341000x80000000000000007559805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.812{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=03DA3DEAAF4E99316ADFF08C3C78B700,SHA256=3191535F0CD0204545BD37187C176D1A63A230835B3233FE382F4FC58A8439EAfalsetrue 10341000x80000000000000007559803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=598B737D7D8E3371B1DE3ED2FEB63AAA,SHA256=3DF20F5059064393E2ABCBE066ADC4117797B784718F24A6CEDFB0F6B6B6F4F6falsetrue 10341000x80000000000000007559801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=F53E74EF5FD0620AAEA99579705164AC,SHA256=5145AE22A940B101DCCC1BFAAB5A52AC7A7D496E51DEB12D15C4D110D207401Afalsetrue 10341000x80000000000000007559799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.797{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=F32084E3A81167C4681BE84A95AF41BE,SHA256=800225D5D0654C1EDC78A5F82E339F525F26C888301C2549CFBD82F06A9ED544falsetrue 10341000x80000000000000007559797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=9FF53C34C073C55F6B338770B263D005,SHA256=171012E75008BE123E0D874AD10EE14D2E478DA6D3C1E39DC916228A705CEE46falsetrue 11241100x80000000000000007559795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9B2CF198FCE1FBF6701108235ACA4CCE,SHA256=ECB3CF65E0579E46D89C922D20D9BCB76C2B09C5A7D4FBA24E550869F7E894C7falsetrue 10341000x80000000000000007559793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=1567D02258D4EFE0DF641741A1A81997,SHA256=89E8ED86537E4903CADF99823D17F6636D9B7176F2076F7E0D8349B94D8A2E17falsetrue 10341000x80000000000000007559791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-9254-613B-A522-01000000F001}65165624C:\Windows\system32\sppsvc.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000007559789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.781{4DF467A6-9254-613B-A522-01000000F001}65165624C:\Windows\system32\sppsvc.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 11241100x80000000000000007559787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 734700x80000000000000007559786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 23542300x80000000000000007559785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD2CE07761798AD7563C5E2D6FECDAB,SHA256=67668C0F424DDF0D0704A5CED1D6C20487DD4590D7D46E5A90820997220D52D1falsetrue 734700x80000000000000007559784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\certca.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Microsoft® Active Directory Certificate Services CAMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCaMD5=8F23364460E12C9A157F88B9B4A86F2E,SHA256=51B5550668D6420C5DA988FEF83564DD9B4E911866EF4FC80748C8B219789F23trueMicrosoft WindowsValid 734700x80000000000000007559783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\CertEnroll.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Active Directory Certificate Services Enrollment ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationCertEnrollMD5=20ADB479CDAFBDFB60D8D6E0AD7D6588,SHA256=C1C86EE623A9BCA85CE4D6AD7DA9F75C18E62DA2341219FCF45A73FD0CF5123BtrueMicrosoft WindowsValid 11241100x80000000000000007559782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.760{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5DCF86D78990E962678158C13E048883,SHA256=06D54DD5C152BE70AB2C018D184567B3F74E546D7AFB7B76CDDFAE08EF19A805falsetrue 11241100x80000000000000007559780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.744{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007559779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.744{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD6C358C6C7A8AD3CD5BE95693268BC,SHA256=3D620D7A647128723E4D978F6409E5E480087F171D4450A42B5261C7445E8686falsetrue 11241100x80000000000000007559776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.744{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007559772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=18B07C4E4EC7AC511EF2ED6AA8FEF385,SHA256=CBA20D324D1E629EC93CEB7DA6FB24107FD7B18074ABDCC6CB2B1F9DF2ECC0D6falsetrue 11241100x80000000000000007559771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007559770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.728{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=978CD290F0BD6DF938589DBA574F9FAA,SHA256=795335DAF1F21AC0E4D6061260D35003BEEE519F2324A9B07BE93FFE40BAF001falsetrue 11241100x80000000000000007559769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.713{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.713{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.713{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007559766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.713{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007559764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007559763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007559762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007559761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=6062E27E3DD547FB2EA8973295E83804,SHA256=EF07C5158B80D733B19A8A08A6ED5F9AE9F1001AF233FF795E303EB1F02D0415falsetrue 10341000x80000000000000007559759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.697{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=2D95DDA59C646CA14086A030F26FA73E,SHA256=26989A17E29E730E6A5EE6C8AB3DD5520C70917BF1FABCC1F1BE4073E08CBDEDfalsetrue 23542300x80000000000000007559756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31195C2919CFCB96DCC0673649F2CF5C,SHA256=A39E5E6C0F958E51BE5CC72BBBE07D9C5BC86A51FFAA611E3170A4AE756F28DAfalsetrue 10341000x80000000000000007559755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=98199377DE3CF9C882D350FAD712EF31,SHA256=0AEDDDD492FAE52094599C4976F667BA917F197C016178F9BF7001EEE9F4943Ffalsetrue 10341000x80000000000000007559753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=6D36146938AC8228E50F558138C32D77,SHA256=D349F4E5848AE35978A1AE59BEF16C71B63AC9BBE7D4495046625987E6B968ACfalsetrue 10341000x80000000000000007559751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=BDFA7BBD5920F8BA8B6326F99B752E7B,SHA256=C99C143824B52D80AA0EB0516C87B9B856467BF113846BADBD7B0B1F0F19601Bfalsetrue 734700x80000000000000007559749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007559748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4583 (rs1_release.210730-1850)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=70045B78DCFD4DE800A61A51E60D83DC,SHA256=557A2F2C1F6E766E3CBE8A6E91F7614717848B754242097E820C32EED148A530trueMicrosoft WindowsValid 10341000x80000000000000007559747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=3EFD22A641892869DB50F975635B6FD9,SHA256=051093645182E199AA885D66304C054DF7F3D8A084EE331BDF514F2FCEA82F74falsetrue 10341000x80000000000000007559745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.681{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=22EED0CD9F57CE96446A93DBB9EF2221,SHA256=05C637387BC45AF7ED4210A701669232F1D0D8B853D2F1750300AEB2BA13CBBBfalsetrue 734700x80000000000000007559743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.679{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid 734700x80000000000000007559742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.679{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid 10341000x80000000000000007559741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.678{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.678{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=EB4B8F9049B7DFF8D48DA8DDF1002D42,SHA256=30A46098F5699A1803028E408F4D2543BE1B9512F127436118D49B577453B243falsetrue 734700x80000000000000007559739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.678{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.4530 (rs1_release.210705-0736)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=131DCFFFD0F2560BCD89F6ECBCC8A2D1,SHA256=5FB678235EC5BB4417B9D69AD7095A6C13AC1C008FA2647BE09205434E57AA4AtrueMicrosoft WindowsValid 11241100x80000000000000007559738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.678{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369C0B168F547C1609D7858F9D246E19,SHA256=B90D691CC78EA73F4AB867FB46CB050563F359511965E4DE2D5298CA8EA2029Afalsetrue 10341000x80000000000000007559736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=533B2ECADB979ED7EA102E8479C97583,SHA256=4D421BF8D611F4CEFBB6E3834F416A82BF347F7F5A57BD192032DCCD44637803falsetrue 10341000x80000000000000007559734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=3C9036A1946000594A4ADCC6E01BA180,SHA256=AF811CFBB8CB32DBD52E1486316D5037C761EBCD4392A5C83DF0A84571FF544Dfalsetrue 10341000x80000000000000007559732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.660{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=8096D0488989C06D7079AE6ECB115AB5,SHA256=431ECDAC53629F6D65AD8008CF4B7920BB3BB9E513CD4931BED057350F882B73falsetrue 10341000x80000000000000007559730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=ADD099597A4C0E354BE8A025675770D2,SHA256=3FB868C45C6801235FB1543BFF19C83CC342EAD0A4C9E54134CD4DB8956A6DBEfalsetrue 10341000x80000000000000007559728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=8F813FE63AAA7C7A30412477CA7A600A,SHA256=99ECF66CF4A7F1F463213D74715E9909A06B8336EB1A3394E69CB729935C3039falsetrue 10341000x80000000000000007559726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31195C2919CFCB96DCC0673649F2CF5C,SHA256=A39E5E6C0F958E51BE5CC72BBBE07D9C5BC86A51FFAA611E3170A4AE756F28DAfalsetrue 11241100x80000000000000007559723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007559722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007559721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC95F4A5097E64141629893C111E233,SHA256=21E56B1A7EB53ABCA4A90DD3CCB7EBC018A59CC980E361246654A36A986674B0falsetrue 23542300x80000000000000007559720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6F3B264E2B33DFE6C5E2A0C66E21C484,SHA256=36D4AE618BF24AC146ECA5D9FF898C1F307AF4BE392D966AC6A532651752E687falsetrue 11241100x80000000000000007559719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007559718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 734700x80000000000000007559717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743trueMicrosoft WindowsValid 734700x80000000000000007559716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1FtrueMicrosoft WindowsValid 734700x80000000000000007559715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DCtrueMicrosoft WindowsValid 734700x80000000000000007559714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.HostName.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking.HostName DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.HostName.dllMD5=8DF028D66876592B54CEF5631E727C2E,SHA256=C16C85F3D505EDE6F2566DF7140171F5AB4A71DDDEEDC653D846D3954AA8E99AtrueMicrosoft WindowsValid 23542300x80000000000000002132659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:56.159{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD239E5B753E2BDCD8723FE3966EB47E,SHA256=C6E29F8385EBFDB643029AAFC2C00B91124AF17111C0960EF2D3CD964FB2FEF3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007559713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid 734700x80000000000000007559712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.dllMD5=79801C7A91F51A659B0BBA4E80FFFA6B,SHA256=A261D0F4572FAE532461712C90129E14682B09FA651742DBD856F28430586CA7trueMicrosoft WindowsValid 11241100x80000000000000007559711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.581{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.581{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.581{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007559705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.580{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.576{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 734700x80000000000000007559703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 11241100x80000000000000007559702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 734700x80000000000000007559701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL10.0.17763.1 (WinBuild.160101.0800)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationDBGHELP.DLLMD5=3AD4BA5FD42E006E38D60AC93FD882E1,SHA256=502593C125B3DCF31D4565FCA6CF49E75233E1D6F3A7DEF2E2E2431E2501D349trueMicrosoft CorporationValid 734700x80000000000000007559700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 11241100x80000000000000007559699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 734700x80000000000000007559698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\v8jsi.dll0.63.1.8_5_210_20React Native V8 JSI AdapterReact Native V8 JSI AdapterMicrosoftv8jsi.dllMD5=A0BC9DBA90FC6D10B7618702FB67EC58,SHA256=2A6EBAA66D27F565E4008619D680DF1F2F13E77C2155F658B29F841B9D49AE51trueMicrosoft CorporationValid 11241100x80000000000000007559697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 734700x80000000000000007559696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll0.62.22React-Native-WindowsReact-Native-WindowsMicrosoftreact-native-win32.dllMD5=398277435FAC13143749320A60428DC8,SHA256=0576D3C166CF04F52BA9913A75FF14D77AF755D5285D7E7D64550BA432DBA932trueMicrosoft CorporationValid 10341000x80000000000000007559695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=FEB011A05EE9E210A98105A89DF2BF5E,SHA256=26365E492820ACE7BEEB4085F3EA9229D47462122D0322DD23D7813E571EF790falsetrue 10341000x80000000000000007559693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.560{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=8E5D17C4370320DC71F223F3C3A29131,SHA256=FBF4F975FC247735E89AEC73D99C5C4564665743772B3EB328A6FB11AFE3C5CFfalsetrue 10341000x80000000000000007559691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=A7988FAAAD98054BAA95CC6B1F737371,SHA256=80297916DD0412160D792AC730EBBA9DCCA859C5BCBD6809C0A8358DEB691980falsetrue 10341000x80000000000000007559689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=3A64A6E5AD3BEC0FF327AA32DB2C00DE,SHA256=842AC34CB0A75BFBC9C383E9FDBA1C9566D072BDE785B818EFA369EA3DAF21DEfalsetrue 12241200x80000000000000007559687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA 10341000x80000000000000007559686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9253-613B-A322-01000000F001}41245164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data 734700x80000000000000007559684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000007559683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=4498571BA0CD3CD8BBD64EF9B13A4F4A,SHA256=5746A23555497D0615298A3D0307C91F481DF214FF0D694ED6771030410CE8D0falsetrue 734700x80000000000000007559681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 10341000x80000000000000007559680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9253-613B-A322-01000000F001}41245164C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 10341000x80000000000000007559678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=87BD8D3C82B9A22B7E618753071B5B24,SHA256=EA1067AE227805015DB578DB7286D4ECC4D2D25FCC82F040EABC06A3C9975566falsetrue 10341000x80000000000000007559676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0A00-00000000F001}6206240C:\Windows\system32\services.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=2BB3FBB96B8D4A51F350CE853E2F763B,SHA256=396C87663EF82E2DC750C53EF41ED5514384CD45CFDF5585C79BA63416A3EF5Dfalsetrue 734700x80000000000000007559672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.544{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007559671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007559669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 23542300x80000000000000007559668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=3D7902120B397F8ABC32774F563A81C3,SHA256=0A3C25561CDB45FBF7B55A57D84227777013A3F2B0D31F9D97C5B2532543B53Cfalsetrue 734700x80000000000000007559667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007559666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007559665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007559664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007559663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000007559662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000007559661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007559660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007559659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000007559658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.529{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=378C7C82192ADB1D3854EADCC4FC975B,SHA256=C3965F78489E50A52BA22952BE9AD690EEEEBBC3A8B9201A22D58B6F4202E963falsetrue 10341000x80000000000000007559656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=ECF983BC3087D5B65BC210A5D91FAF32,SHA256=34858C58D3ED3FA66097596EE04C0DB6591D1BE558349A7EE907F02FA44EA6EBfalsetrue 734700x80000000000000007559654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007559653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007559652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000007559651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007559650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007559649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007559648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007559647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid 734700x80000000000000007559646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000007559645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007559644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 10341000x80000000000000007559643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=13196D7F67E7C3789470F259FABF45D0,SHA256=6DCE2A1E0C8BFE4222C5957E693A216B474BB2A12DA69A08823F78BC26483F26falsetrue 734700x80000000000000007559641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007559640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007559639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.513{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007559638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007559637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007559636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007559635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40trueMicrosoft WindowsValid 10341000x80000000000000007559634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=BDB09438F51D67051F1CC7EB8563BA56,SHA256=81D8E9DBF5333EFD49D24F7021CABDFCEEDDFFBCC2E9A247C4803F932AD98C47falsetrue 10341000x80000000000000007559632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007559631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0A00-00000000F001}6206596C:\Windows\system32\services.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007559630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.474{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000007559629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=30B45572040E2BED32F4B48DF76004FC,SHA256=0FFA77255E4E72F46FC078678C6065C84E2CF5815A9728FEBAD11209BA3914B1falsetrue 10341000x80000000000000007559627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.497{4DF467A6-3F46-6132-0B00-00000000F001}6362624C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0018) 13241300x80000000000000007559625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0017) 13241300x80000000000000007559624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0018) 13241300x80000000000000007559623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0017) 13241300x80000000000000007559622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0038) 13241300x80000000000000007559621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0037) 13241300x80000000000000007559620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x532a0016) 13241300x80000000000000007559619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x532a0016) 13241300x80000000000000007559618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.482{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0036) 13241300x80000000000000007559617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.481{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 10341000x80000000000000007559616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.460{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.460{4DF467A6-3F47-6132-0C00-00000000F001}8364816C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.460{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.460{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001e) 23542300x80000000000000007559612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.460{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\SMUOS1QD.cookieMD5=A9AE593ECD93D11AC049FEABFA02ADC0,SHA256=D20F55B1AE565BDC7E96C5F41BDD226FF8E0B5DD6D9E9E480BAA38D6FC9F36C3falsetrue 11241100x80000000000000007559611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.460{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\1KT26VEC.cookie2021-09-10 17:13:56.460 10341000x80000000000000007559610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.444{4DF467A6-3EE5-613A-21FA-00000000F001}24286828C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.444{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.444{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000004903DE\VirtualDesktopBinary Data 12241200x80000000000000007559607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.444{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000004903DE 10341000x80000000000000007559606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.444{4DF467A6-3EE5-613A-21FA-00000000F001}24285072C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007559605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.329{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 734700x80000000000000007559604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.329{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000007559603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.329{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4467 (rs1_release.210604-1844)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=4D2537567A93ABF1D93CB7A7E76F954C,SHA256=5740181B56927C0DC66A6BCECA15EA2806A0ED471A01F785AD47C8C73A1DF85FtrueMicrosoft WindowsValid 11241100x80000000000000007559602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.298{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B607322D0136848149CB643D4906D5C,SHA256=D1B26F5A604FA9682B4210CEBDAA79EDD125F8F42AC2932CE2F5AD6869601E0Dfalsetrue 12241200x80000000000000007559600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.282{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.279{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.278{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000007559597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.278{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 12241200x80000000000000007559596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007559594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007559593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942c8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx.LNK2021-09-10 17:13:56.245 23542300x80000000000000007559584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx.LNKMD5=4968CEB8B6D0067160CB2465FDD72F85,SHA256=40B2B8B3C2D61D58BE5063EC13E23FD007ADB8339882C6D1A906EE8C5DC11650falsetrue 12241200x80000000000000007559583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 23542300x80000000000000007559582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx.LNKMD5=3CAE15F9FE430824123193BDB7C7C61C,SHA256=C63B331A8805E01003B55D7EE899B1C31CFD378D3A84CD7BFFB4124C67B8F3B8falsetrue 12241200x80000000000000007559581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9752b235-0000-0000-0000-100000000000} 734700x80000000000000007559580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 10341000x80000000000000007559579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbf02|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.260{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+3dbef0|C:\Windows\System32\windows.storage.dll+3d95bb|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193f30|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+194431|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1942a1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+193141|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007559568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 12241200x80000000000000007559567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 13241300x80000000000000007559566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\PointsBinary Data 13241300x80000000000000007559565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007559564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\TypeDWORD (0x00000000) 12241200x80000000000000007559563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.260{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000007559562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a667-0x3cca448f) 12241200x80000000000000007559561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007559560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000007559559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000007559558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\x 11241100x80000000000000007559557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx.LNK2021-09-10 17:13:56.245 734700x80000000000000007559556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000007559555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124\srvsvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 734700x80000000000000007559554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 12241200x80000000000000007559553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\jy 13241300x80000000000000007559552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\246C4EB5\246C4EB5Binary Data 734700x80000000000000007559551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 12241200x80000000000000007559550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\246C4EB5 12241200x80000000000000007559549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery 10341000x80000000000000007559548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}24281584C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}24281584C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007559546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007559545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007559544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.245{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007559543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}41241284C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}41241284C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}41241284C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007559540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\Place MRU\Item 1[F00000000][T01D7A6673CCA4450][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\ 13241300x80000000000000007559539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 6[F00000000][T01D7A59EFF901F10][O00000000]*C:\Users\Administrator\Desktop\5047669871509504\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007559538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 5[F00000000][T01D7A5A1B56CE7D0][O00000000]*C:\Users\Administrator\Desktop\5175182148927488\938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52.docx 13241300x80000000000000007559537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 4[F00000000][T01D7A666B3EFA120][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\Project details (1).docx 13241300x80000000000000007559536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 3[F00000000][T01D7A666D5FD20D0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\PRD.docx 13241300x80000000000000007559535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 2[F00000000][T01D7A666DCF83CD0][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\A Letter before court 4.docx 13241300x80000000000000007559534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.245{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\User MRU\ADAL_A1170CE15A069AC04A2C75B41CDAB56771DF91F54E569B691BB21B476B613150\File MRU\Item 1[F00000000][T01D7A6673CCA4450][O00000000]*C:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx 11241100x80000000000000007559533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532F700C35611B8B647FF8616FEE0CCE,SHA256=AB75996319D4562E5082BB629B8B83E49E60C99DB43A1EF2697940720937096Dfalsetrue 734700x80000000000000007559531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.213{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x80000000000000007559530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.213{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 734700x80000000000000007559529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.198{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid 734700x80000000000000007559528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.198{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 11241100x80000000000000007559527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.182{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7D4825E0-82B5-49E6-B038-7AAD56CB80B2}.tmp2021-09-10 17:13:56.182 11241100x80000000000000007559526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.181{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{52E91140-DCC7-4E56-9B1F-9AF304C3BE4F}.tmp2021-09-10 17:13:56.180 13241300x80000000000000007559525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.145{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://pawevi.com/e32c8df2cf6b7a16/\EnableBHODWORD (0x00000000) 12241200x80000000000000007559524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.145{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://pawevi.com/e32c8df2cf6b7a16/ 11241100x80000000000000007559523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.129{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A871B63769E45EE0444C2A9968166442,SHA256=01FB221FEED94CD57DCD7C760D095F38E2E053989199FC01E675F81152DDC60Afalsetrue 734700x80000000000000007559521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.129{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\hlink.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Microsoft Office 2000 componentMicrosoft® Windows® Operating SystemMicrosoft Corporationhlink.dllMD5=FD7A5F4DF14E2D70CE268E22C5A56650,SHA256=E159200E7E4F627FDCF37230F12412B45C18FB1D3EFB1D3F06B4FE1BAA205351trueMicrosoft WindowsValid 13241300x80000000000000007559520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.129{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://pawevi.com/\EnableBHODWORD (0x00000000) 12241200x80000000000000007559519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.129{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\http://pawevi.com/ 734700x80000000000000007559518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.113{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\davhlpr.dll10.0.14393.0 (rs1_release.160715-1616)DAV Helper DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdavhlpr.DLLMD5=D7A5CB6257EA5F99F80A1075BBFEEB41,SHA256=4720811BED40F9998038BCEC6F941E418AB6D0305AB15AFB248F49CC02C64D74trueMicrosoft WindowsValid 734700x80000000000000007559517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.113{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007559516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL7.1.1108Visual Basic for Applications Runtime - Expression ServiceMicrosoft Visual Basic for ApplicationsMicrosoft CorporationEXPSRV.DLLMD5=3FF977F13147CF29DDB70AA247BD3690,SHA256=3FE5A0245668D229732B49763CB17E3BD466204440DBBC4D27F5E3095CED6C45trueMicrosoft CorporationValid 734700x80000000000000007559515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\System\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 734700x80000000000000007559514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL7.1.1104Visual Basic for Applications Development Environment - Expression Service LoaderMicrosoft Visual Basic for ApplicationsMicrosoft CorporationVBAJET32.DLLMD5=A302D22CC544B6BFB4E1BB522B036CB1,SHA256=76823CF79F5C76C96E2FCA31D06796D62727ABE559FFBA78E5F21DC324E55188trueMicrosoft CorporationValid 734700x80000000000000007559513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL16.0.13801.20688Microsoft Access database engine Expression ServiceMicrosoft OfficeMicrosoft Corporationacees.dllMD5=01B32DC29CEB905A6D0FC5C1C703B0CA,SHA256=70106489670931C7491BA1F8AF1DE0503E53844B2AA52F82C3143A8B6E83151DtrueMicrosoft CorporationValid 11241100x80000000000000007559512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb2021-09-10 17:13:56.060 734700x80000000000000007559511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL16.0.13801.20008Microsoft Access database engine Sort DLLMicrosoft OfficeMicrosoft Corporationacewstr.dllMD5=D26F3BC200CD057CB9939073143F652E,SHA256=F2985BACE4D0E5A2E82A9FE8CA935BCD19D184BA72F81F4CDC5D3627ECC0B937trueMicrosoft CorporationValid 11241100x80000000000000007559510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\JET4DF9.tmp2021-09-10 17:13:56.060 734700x80000000000000007559509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL16.0.13801.20634Microsoft Access database engine DLLMicrosoft OfficeMicrosoft Corporationacecore.dllMD5=052CFD327BA966E1D3EA5FAFB290672B,SHA256=8DD3054536AD700CD3C7BD59E95456B83E7D177AE1A7C6AAB21C97C49027E655trueMicrosoft CorporationValid 734700x80000000000000007559508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.060{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=2D8AE33BC433EFE81FB9F5B126B4A0A9,SHA256=5BC4D64A18925CFB39C898E954BC24473BCCFDA11E31A8FD7E01F8F888BD6B76trueMicrosoft WindowsValid 734700x80000000000000007559507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\System\Ole DB\oledb32.dll10.0.14393.4169 (rs1_release.210107-1130)OLE DB Core ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationoledb32.dllMD5=1C9084B11668B0E8E83D7887BC2BDA33,SHA256=A2FF5347549ECCC9804F180C34D465AFA55027B3B0F614A2666934FA2963F436trueMicrosoft WindowsValid 12241200x80000000000000007559506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000007559505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000007559504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000007559503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007559502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000007559501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000007559500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x80000000000000007559499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL16.0.13801.20490Microsoft Access database engine OLE DB ProviderMicrosoft OfficeMicrosoft Corporationaceoledb.dllMD5=E8DCF5077604E501B55ABD40BFB32ACB,SHA256=CFA364D0ACFC660080B2F3C6D06E89B6CBBA031F3673E7C56843825991D9EA6AtrueMicrosoft CorporationValid 12241200x80000000000000007559498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000007559485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000007559484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000007559483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000007559482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000007559481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13801.20442RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=4AADCAFE0937BFDD2C0E089B37549CD7,SHA256=8D12811470721C2A4775AE2CF2B236C5E16FD4215D70E63C768BD9F4ADBC364AtrueMicrosoft CorporationValid 12241200x80000000000000007559480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:56.045{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000007559479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll16.0.13801.20842Microsoft Office Document CacheMicrosoft OfficeMicrosoft CorporationCsi.dllMD5=79BAD2A42BC1DDCF7747154DB5CDA177,SHA256=B943A38387BD920D64860A27F667FF8C23529614A5812412A672E18052A2CFA5trueMicrosoft CorporationValid 734700x80000000000000007559478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.045{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 734700x80000000000000007559477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 11241100x80000000000000007559476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6D9306DE-F8F6-44F3-9F3C-B960F7245E5A}.tmp2021-09-10 17:13:56.029 734700x80000000000000007559475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid 13241300x80000000000000007559474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 734700x80000000000000007559473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13801.20442Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=67A8185AAF7674010FB3D3F4BF71B3A7,SHA256=3017C9E5F1B0107444C560FF931BEB019E96AFC49D33F131B1BD0D3AF5B53614trueMicrosoft CorporationValid 13241300x80000000000000007559472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000007559471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 23542300x80000000000000007559470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1530FA7D.wmfMD5=C4E6B3035AC3828D375E5479E8485D0D,SHA256=591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7falsetrue 11241100x80000000000000007559469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D7F865A.dat2021-09-10 17:13:56.029 11241100x80000000000000007559468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1530FA7D.wmf2021-09-10 17:13:56.029 11241100x80000000000000007559467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E236DB36D2039A1A56A141F6E61B47D,SHA256=9A6316A9C8308E7D5C1E8EBBA2C6F4544C9E4C5F5A5EA2C78C469C2A36D59424falsetrue 11241100x80000000000000007559465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$ddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docx2021-09-10 17:13:56.014 13241300x80000000000000007559464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\jy Binary Data 734700x80000000000000007559463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007559462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007559461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124\wkssvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 734700x80000000000000007559460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 13241300x80000000000000007559459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 734700x80000000000000007559458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000007559457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid 734700x80000000000000007559456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsreg.dll10.0.14393.4467 (rs1_release.210604-1844)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=79A9D7EA2FEAEF86876FFD1B6D1CB6C1,SHA256=A1BA47F25235AA03E37B420DA61B68E1F3165A590B15AAC43894613A88250018trueMicrosoft WindowsValid 734700x80000000000000007559455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007559454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL3.4.1.35249ADAL.NativeMicrosoft© ADALMicrosoftadal.dllMD5=83940B529D140372B1FF153CF83E478D,SHA256=1D246C806D9F170AAC09E8AA3507553B7833BA2067B81150588444B3C93BAADBtrueMicrosoft CorporationValid 11241100x80000000000000007559453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.014{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 734700x80000000000000007559452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.998{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 11241100x80000000000000007559451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.998{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:55.998{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 23542300x80000000000000002132661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:57.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4580AEB80DE633D44CBEF5303064A4A,SHA256=D0803ECC8BDAE91F81E0CD8DE5B228D1B160FE33A18A78C55EAD2A0CC39DFD94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAC5669DEDB0A6BA65B3061650BBB66,SHA256=54847AB3DF0483689C206C2A7E2FC4317889C63F647A8A1E4E73C37C5348C5C6falsetrue 11241100x80000000000000007560054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.842{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.827{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18091D162A6DE78C58CC47CACD13528,SHA256=B4D4E20D5A82F8CD89E47332BE7D99A9E5A4A71AAD5DBB3EA1C14FCB4B1B5171falsetrue 354300x80000000000000007560052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.405{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50317- 11241100x80000000000000007560051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B6F2423CBC46191B641E89E42DFE0176,SHA256=F031BF713D81F9C53CA65518A8C8DCF2F67CAA02E0F6925DEF3B2AE308529155falsetrue 11241100x80000000000000007560049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D54E724F1646A7424A3A9B93E0827A4C,SHA256=EBA9817F121159290353637BC5A23A8AAABE32B3D2A021C3ACEFD961C63AB5A1falsetrue 11241100x80000000000000007560047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D5BF1E3C5D5D69513E92F7990D32B8,SHA256=6EA541B3DB8AECDE5023EA004D0EA927A31481CF58508E93E14EEE416AD520A2falsetrue 11241100x80000000000000007560045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.459{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007560044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.443{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007560043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.443{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007560042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.443{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007560041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.427{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007560040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.427{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007560039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.427{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-US2021-09-08 15:57:53.835 23542300x80000000000000007560038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.427{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000007560037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.427{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007560036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.412{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007560035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.412{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007560034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.412{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007560033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.412{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007560032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.412{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007560031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007560030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=6C224437A3DA14CEB80620820A803017,SHA256=80FC0BB4529CCFB1DE51A301CBD1DAE213269657E3CDEB24D3D4BE67F8286F29falsetrue 10341000x80000000000000007560028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=12F78A50A895076E50D437EDB7403FC0,SHA256=C378316F504BA17E317997DCB77EE94F1F596117F7BCBE4999609CF51202A61Bfalsetrue 10341000x80000000000000007560026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=A976DC2651DC5359DFC0AE308C57C89B,SHA256=007A9ADD21BBF67ED7766A18436FC4636C2915589F64E793B92097DB474D6618falsetrue 10341000x80000000000000007560024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.396{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=9FD5AFA7349873C4CAECB82E60C9722B,SHA256=6E26049E34D10FDB76D08373C9F47F262CCB637BA1FCD22CC6DF66C8171A96BEfalsetrue 10341000x80000000000000007560022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=B4656A795B8EBDE0DCCBC98E6BC85BF4,SHA256=489315787BEFCC6FAA8FC7026AABAA0AA2C6D30BE39ED664AC7BB2B3E8DE019Afalsetrue 10341000x80000000000000007560020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=42780B735DCADA67521815F5BBFCFC91,SHA256=FBF3D85C8E76219FA9CF94A7A51636CE560E6C4856A407D9C2071EAD5243ED91falsetrue 10341000x80000000000000007560018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=1726B06CB55F1DDD76AF7BB297A8B88E,SHA256=7CF198AE349666286976028EE2FD476B7D037C52F2C2919EEC6F23F41A56271Bfalsetrue 10341000x80000000000000007560016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=04E74073FCFE9F7F8A5B1A13796D2FF3,SHA256=7846061B30027CCC5CCACA948870D39AF6A005E58269733F65CDC7711638DD16falsetrue 10341000x80000000000000007560014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.380{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=C8736A6E540827B0A92A31FDB8E66F59,SHA256=71EC97549B64647EDABCE7E52680A575D52DA283DDDAD705E7EF1D7B80348E97falsetrue 10341000x80000000000000007560012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.377{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.377{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=1AEA0D04DC6935E0DA9F59A492657CC4,SHA256=9DDD249DEBDCC9BFA519CE6A6A36F5535E3D751F02946B86CD70689156241B9Cfalsetrue 10341000x80000000000000007560010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=FE742F33A17A27347B39076CDDAA4D5C,SHA256=81536987CE36F53C8F4EE580C9D4B035C54A68E939742A601F2BCF3E1F53E0A8falsetrue 10341000x80000000000000007560008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=66E08D27438A5BF41FA861B911143DC2,SHA256=330B837950BE693A31FEAACF5B4A477128CB5337AA03DD4F596433E050A9D987falsetrue 10341000x80000000000000007560006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=5E52D6763011CB6BA1F9EF771A0F53B4,SHA256=859A95E899717B3FEB60AB3D02C25F275ADDE3391E0DE560DD26777887697135falsetrue 10341000x80000000000000007560004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.359{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007560003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.296{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000007560002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.296{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000007560001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.280{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007560000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.280{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.280{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.274{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.259{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.259{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.259{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.243{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007559993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.243{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.243{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007559991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.243{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007559990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007559989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007559988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=8D0A4F2C8D12474DED49F8E88A198FB7,SHA256=DC189C888EA76EE29510CC6003B881671FE05B2F4B781AB257D41C43F9505F58falsetrue 10341000x80000000000000007559986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=009FFE85D899616A20BAE81D8EC594BE,SHA256=EE2A4F5FFBE2E8052661BD135BE0EC4E0F4B9E5C7D94135A9B85479408698EEBfalsetrue 10341000x80000000000000007559984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=F4969EE135964DA5CB4272A364DCB14A,SHA256=BAA320A1FDB0D82D7E939025CACF1CF7608348F53006DDC7016668AB677F7C82falsetrue 10341000x80000000000000007559982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.228{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=921BB837782B0DBA8F88F5431BEABDB9,SHA256=D17048973A2FB607676468D7785C1B3DD420648A29E730AB23E015EC9B251A56falsetrue 10341000x80000000000000007559980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=369C83C8079B425639BB214992F1CD27,SHA256=26AF9CE454DB0DFCAACF3CCCFBC1D26CD89A5AA12D0681B6CB7CEC6F1947E09Efalsetrue 10341000x80000000000000007559978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=13780277C8DD07A560E596977519E7F6,SHA256=7915F8282CF197B33024AC0152B0BD35B7ECC5F59477F726E9297987667F1F30falsetrue 10341000x80000000000000007559976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=909704B7A3214F06243B42CF6408D740,SHA256=4C95AE79CF59CE6BD41A576AB05A6BF9F96457CCEF264DA1F700F892DC02FC46falsetrue 10341000x80000000000000007559974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=49C27A1382CCF1E9CFA8A7B3E836E5D7,SHA256=3E9CD1D49E99DA1F3C39967547BC90F19DC3508BACE40DA4D505A63BE9AB92D0falsetrue 10341000x80000000000000007559972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.212{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.196{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=0D9BFFFABF695FDB51C7A5932072220F,SHA256=EFF166BB5DCAE7D16741E69897B7C31DA16CBA8C327343CC9FFCC7578B7820D0falsetrue 10341000x80000000000000007559970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.196{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.196{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=1104CD35EC6D7EE5A3FB50B8132DB142,SHA256=CCE5B63043A9205C76E21F500A5B8C07959F66D8DA0E84972A680060E41E626Afalsetrue 10341000x80000000000000007559968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.196{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.196{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=4CB95ACA10B8D1EF4E9DED4F40572C83,SHA256=05116AF3253CE56E34FBB20E9C911C087ECA8582E2C69AEBAD8A0F82F71FC3B7falsetrue 10341000x80000000000000007559966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.181{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.181{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=F42F33F5B35BD104969E83A157A9A3DC,SHA256=4258ABFB802464BFF7809BAAA60F23F6E51E04E5BC2B66E242FF2DC72B6C0C9Dfalsetrue 10341000x80000000000000007559964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.181{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.181{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=065657EBB19FA33A5F69F603CA577A42,SHA256=1383613C933A8F88AD7134ECB63E9003B9D1BFB19844FBE5C41088D55FF80F0Dfalsetrue 10341000x80000000000000007559962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.181{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 354300x80000000000000007559960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.994{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56954-false20.190.151.7-443https 23542300x80000000000000007559959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B6A1813EA2788C484603EAC05DE0AD,SHA256=56A9977758DEC7D3ED7EF7B6C2A2A485ED6059CAC6DD40AAA6A570591351122Dfalsetrue 10341000x80000000000000007559958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.177{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.177{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007559956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.937{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60963- 354300x80000000000000007559955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.829{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56953-false23.192.208.23a23-192-208-23.deploy.static.akamaitechnologies.com443https 10341000x80000000000000007559954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.175{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007559953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.175{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007559952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:38.810{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local58145- 12241200x80000000000000007559951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:57.159{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 11241100x80000000000000007559950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.159{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007559949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.143{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.143{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.128{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.128{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.128{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007559944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007559943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007559942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007559941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007559940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007559939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007559938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007559937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=86AB34FF60879213771B4E7058F01953,SHA256=31865BB7594FFD2854ABA2A3DE0A5DFF20039EF3BC9BCC843E6E490B9675E1FFfalsetrue 10341000x80000000000000007559935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=818F1000CFC512A83D37A39194257EB6,SHA256=7BEE4024758712E2721AFEA870B62235FC023DE2A3A6EAB83D240CC346B83380falsetrue 10341000x80000000000000007559933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=C587A4E4A764E59923BE642FD6A1D9FC,SHA256=D744D736568B1E8A838C32AFD12D281032292FC46CEE7FA57FFD36961845A353falsetrue 10341000x80000000000000007559931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.096{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=C66EC36663192100A714B94FD9592F75,SHA256=8C416D17B11E5516C4754D106B67F14C49B3FDDEB5D10759638268CFD037A37Dfalsetrue 10341000x80000000000000007559929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=F7160B00FBC6FF2B2084AFB415F25DE7,SHA256=EE2AB87CC418AB3F946EEB89EFE644195B33E8B5B4C8A7F0349E20BB5AD34229falsetrue 10341000x80000000000000007559927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=E17434382124C169B153757F65B70410,SHA256=3806D1E38C29DF39FB7CDE15307059D37BEAAFD8A2AE6075707D307ACA9492A6falsetrue 10341000x80000000000000007559925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=E5CD8012CD29972A6D39AAF3BBE73ED2,SHA256=7726B8961960F5A4A433103F501690B994403BB7F4AA7BCE6D0A9A45FBE7DCD6falsetrue 10341000x80000000000000007559923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.081{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=20C4E7203B4FE2807EE2380A4533D54B,SHA256=1A9229C3809398AF7C1CF7277FC93B8D90CCA0BEA8E6A05D550AF1C05CE198EAfalsetrue 10341000x80000000000000007559921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.079{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.079{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=4DAC52B5C07276254EFBE62E88A4781F,SHA256=196042A67CCC9FA3D2019A6F75B40CFB7636FFCC9AD607D933C0775AE35CA036falsetrue 10341000x80000000000000007559919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=54189CDC2912810E0C7352DC6DCF2989,SHA256=4F89E9E2E0CD02D32449B23CF4A8CECF6B102DA47F0FE55A032235C78D4964A0falsetrue 10341000x80000000000000007559917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=8A8139FAAB85D6D115C4CBB4E9F32A12,SHA256=45122780E03ABD1D87E0713B82AD28C417992A568A9F295B67F7B8B222773398falsetrue 10341000x80000000000000007559915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=A3673DAA174B39D7AC02F85F5835C30F,SHA256=32662B780C7616F2DC484AFB9C78D5DD3186D90479E243C3AF8E327355565614falsetrue 10341000x80000000000000007559913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.059{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007559912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.043{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=EB3F0ACC5639BD540D1F0BEC24F3966D,SHA256=C1D4642BD4183B05EFA6DCB604EE3E05075ADBD4D209DEBD02A73C028C2C2EF3falsetrue 10341000x80000000000000007559911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.043{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007559910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.028{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007559909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.012{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007559908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.012{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007559907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007559906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C92EA4CD37F0892A904F340C0F2949,SHA256=3028AE7D75B8E619BAA36489831B31EEB24D0511F45A99B58CFF674C7ADDD312falsetrue 11241100x80000000000000007559905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.997{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007559904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.997{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007559903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:56.997{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 354300x80000000000000007560085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.865{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56958-false52.109.20.72-443https 10341000x80000000000000007560084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.975{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.975{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007560082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7F132BABB0F8480581FB215CFAA446,SHA256=1BF070802C84E9C3D9AA56FE95853EBB3B92A70D698ECAFBCD636709B5847799falsetrue 11241100x80000000000000007560080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.557{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007560079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.557{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1E615AFD8A74D01A252706EBACCDE2F6,SHA256=732C914B9A9A750F2F9918CF3560E50E940A3DB2627AB6052EE6BC66368A4210falsetrue 11241100x80000000000000007560078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.479{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=03EE3464045393AFD1059E3C3428CB45,SHA256=B81E8DE5F73B0E3EC79784B54705C7EA03AAB778DFEF562AF8DD90F130137B5Ffalsetrue 11241100x80000000000000007560076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B3483B207AC17867082E7B7CCD08AC4D,SHA256=78D54D6791D2F4D472FCCE7022C3E0D4CC07B98B70C17BBAEAD6690EA78E0881falsetrue 354300x80000000000000007560074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.774{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56741- 354300x80000000000000007560073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.758{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56741- 354300x80000000000000007560072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.690{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56957-false40.97.116.82-443https 10341000x80000000000000007560071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.671{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63245- 354300x80000000000000007560068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.575{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56956-false52.111.245.4-443https 10341000x80000000000000007560067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.506{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60429- 354300x80000000000000007560064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.476{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60429- 354300x80000000000000007560063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.459{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56955-false52.109.20.76-443https 10341000x80000000000000007560062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.210{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.519{4DF467A6-9253-613B-A322-01000000F001}4124augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-000.westus.cloudapp.azure.com;::ffff:52.111.245.4;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.011{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.383{4DF467A6-9253-613B-A322-01000000F001}4124odc.officeapps.live.com0type: 5 prod.odcsm1.live.com.akadns.net;type: 5 us2.odcsm1.live.com.akadns.net;::ffff:52.109.20.76;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:58.011{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007560117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:59.455{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007560116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:59.455{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 354300x80000000000000007560115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.489{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61655- 354300x80000000000000007560114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.471{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61655- 354300x80000000000000007560113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.343{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56962-false40.97.134.178-443https 10341000x80000000000000007560112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.327{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50696- 354300x80000000000000007560109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.218{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56961-false52.109.20.0-443https 10341000x80000000000000007560108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.053{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56960-false104.47.35.22-443https 10341000x80000000000000007560105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.240{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007560103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC098B536DA7428B976FB69AE1BBBCCE,SHA256=72B694DFFDC6D30F3DA6231F261A8D7CB6F6B5CFF3390539A5DAD3B5DEDBDEA6falsetrue 11241100x80000000000000007560101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D1EA2B512E456CFD23E3938BA7F7F3B6,SHA256=758C32AADF9117B748A02EDC616E4DBDC30CEAC3E1BD9D129CE9D90F389136B8falsetrue 13241300x80000000000000007560099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:59.140{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000901CA\VirtualDesktopBinary Data 12241200x80000000000000007560098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:13:59.140{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000901CA 11241100x80000000000000007560097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5E36FCCD1B1515406925FA15E8C539B,SHA256=52577972E99CE07529A41E2EB4A60DF3A13C16E3C9969345AEE9BBB9B5F4717Efalsetrue 13241300x80000000000000007560095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:59.056{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007560094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:13:59.056{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000007560093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.056{4DF467A6-3EE5-613A-21FA-00000000F001}24286828C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.953{4DF467A6-9253-613B-A322-01000000F001}4124dataservice.protection.outlook.com0::ffff:104.47.35.22;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.025{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.922{4DF467A6-3F58-6132-2B00-00000000F001}29487.151.190.20.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007560089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.791{4DF467A6-9253-613B-A322-01000000F001}4124ocws.officeapps.live.com0type: 5 prod.ocws1.live.com.akadns.net;type: 5 us2.ocws1.live.com.akadns.net;::ffff:52.109.20.72;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.025{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.649{4DF467A6-9253-613B-A322-01000000F001}4124outlook.office365.com0type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:40.97.116.82;::ffff:40.97.134.178;::ffff:52.96.113.178;::ffff:40.97.132.210;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:59.025{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:59.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C902495692AD8B9B766D7BF6CC699D70,SHA256=2476BCFF8DA76619DC17E2A06667752300F753E1E5B2DAA18E73F44E32FB9E7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.922{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm2021-09-10 17:14:00.922 11241100x80000000000000007560136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.922{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal2021-09-10 17:14:00.922 11241100x80000000000000007560135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007560134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515296F59AC99CF3A720D9BD6C823D8F,SHA256=A312F2EAB29A0F50701848C2D39A55E979CA0A21F344FAE3A68D30F365A29B2Ffalsetrue 23542300x80000000000000007560132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19AA77295DC039FF01BE0335F15D6E23,SHA256=CF732722B13219DCBD714931ADBE6C35F420F3D36441FE226ACC51B89BE84907falsetrue 354300x80000000000000007560131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.973{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56964-false10.0.1.12-8000- 22542200x80000000000000007560130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.021{4DF467A6-3F58-6132-2B00-00000000F001}29484.245.111.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000007560129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.502{4DF467A6-9253-613B-A322-01000000F001}4124nam10.dataservice.protection.outlook.com0::ffff:104.47.55.16;::ffff:104.47.58.16;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.039{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.305{4DF467A6-9253-613B-A322-01000000F001}4124substrate.office.com0type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:40.97.134.178;::ffff:52.96.113.178;::ffff:40.97.132.210;::ffff:40.97.116.82;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.039{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.144{4DF467A6-9253-613B-A322-01000000F001}4124ols.officeapps.live.com0type: 5 prod.ols.live.com.akadns.net;::ffff:52.109.20.0;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.039{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:40.539{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56963-false104.47.55.16-443https 10341000x80000000000000007560122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.007{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.007{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007560120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:39.946{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local56959-false52.109.20.72-443https 10341000x80000000000000007560119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.007{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:00.007{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002132665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:51.984{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62427-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:00.219{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9544329B3012D1DC4B740F548F8A038E,SHA256=8EEE264C2C640567332F8DA113EB8F49F35262F0EA672E59C498A0047F3EC0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:00.003{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724EC426D2CF5A17DB42754A8B11239F,SHA256=27F06B534ABA80BA78050DAE946CD6738200F044C7176587B39D08C9F00CD2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007560237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{84B18CAD-1A34-4DA3-B9A1-31FE7B1F04CF}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsetrue 23542300x80000000000000007560236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=212E617A166F3796318832CEF8530174,SHA256=C4090AC3F003B86CBE74CAE22199C482AC476A181FAD4A462D24BE1EE543FAC9falsetrue 13241300x80000000000000007560235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 12241200x80000000000000007560234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:01.989{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000004903DE 13241300x80000000000000007560233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 13241300x80000000000000007560232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.973{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000007560231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.973{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000007560230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.951{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\127\52C64B7E\LanguageListBinary Data 10341000x80000000000000007560229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.951{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+a2bf79|C:\Program Files\Mozilla Firefox\xul.dll+a2be9a|C:\Program Files\Mozilla Firefox\xul.dll+a2ba89|C:\Program Files\Mozilla Firefox\xul.dll+a27bdf|C:\Program Files\Mozilla Firefox\xul.dll+a27eec|C:\Program Files\Mozilla Firefox\xul.dll+b7531a|C:\Program Files\Mozilla Firefox\xul.dll+2f1c79|C:\Program Files\Mozilla Firefox\xul.dll+2f1b84|C:\Program Files\Mozilla Firefox\xul.dll+2f196d|C:\Program Files\Mozilla Firefox\xul.dll+2f1804|C:\Program Files\Mozilla Firefox\xul.dll+bc6763|C:\Program Files\Mozilla Firefox\xul.dll+bc7431|C:\Program Files\Mozilla Firefox\xul.dll+bc645d|C:\Program Files\Mozilla Firefox\xul.dll+bc63b2|C:\Program Files\Mozilla Firefox\xul.dll+b95ffd|C:\Program Files\Mozilla Firefox\xul.dll+1a626ab|C:\Program Files\Mozilla Firefox\xul.dll+b9be3e|C:\Program Files\Mozilla Firefox\xul.dll+fed050|C:\Program Files\Mozilla Firefox\xul.dll+2dae46|C:\Program Files\Mozilla Firefox\xul.dll+2d424d 13241300x80000000000000007560228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.951{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007560227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.951{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000007560226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.920{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 13241300x80000000000000007560225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.920{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Data\SettingsBinary Data 12241200x80000000000000007560224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000007560223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\PointsBinary Data 13241300x80000000000000007560222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000007560221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{C73549BA-97E2-4111-AB43-04647F868862}\TypeDWORD (0x00000000) 12241200x80000000000000007560220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 12241200x80000000000000007560219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 12241200x80000000000000007560218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000007560217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a667-0x4021d022) 12241200x80000000000000007560216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 23542300x80000000000000007560215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7D4825E0-82B5-49E6-B038-7AAD56CB80B2}.tmpMD5=40F26C772357F7227215EC6345F62D2F,SHA256=266ACB2D9FAAF1C81BD34CBB9784E1DB836C8774624CC0A088B32EE34C16108Dfalsetrue 10341000x80000000000000007560214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}24281584C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\windows.storage.dll+3c6ffe|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Downloads\CVE-2021-40444\CVE-2021-40444 Malicious Docs\~$ddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf.docxMD5=0933B670AD01BE6F37E5B7005792B6AE,SHA256=9D2F1F73CE03A352D69897D90C70634BC557491DF972B7A130C11B303BFAB8ABfalsetrue 10341000x80000000000000007560212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}24281584C:\Windows\explorer.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca15e|C:\Windows\System32\windows.storage.dll+3c5e2f|C:\Windows\System32\windows.storage.dll+3c6f70|C:\Windows\System32\windows.storage.dll+3c8fee|C:\Windows\System32\windows.storage.dll+7ad03|C:\Windows\System32\windows.storage.dll+7c309|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007560211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000007560210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList\MRULista 12241200x80000000000000007560209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.851{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList 10341000x80000000000000007560208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c76c8|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007560206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency 10341000x80000000000000007560205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}41245560C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c76ac|C:\Windows\System32\windows.storage.dll+3cbcbf|C:\Windows\System32\windows.storage.dll+3cc218|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1945f4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1944d9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+f20cc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+15290d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bdb1e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+bef25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+8e4f6|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000007560204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery 12241200x80000000000000007560203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\246C4EB5 12241200x80000000000000007560202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:14:01.851{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\246C4EB5\246C4EB5 13241300x80000000000000007560201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.836{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Toolbars\Settings\Microsoft WordBinary Data 734700x80000000000000007560200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.820{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL16.0.55555.10000Microsoft ENGLISH Natural Language Server Data and CodeNatural Language ComponentsMicrosoft Corporationcss7Data0009.dllMD5=7E61F72C2CC4AAC44084734CCD4B93CB,SHA256=2933C7FD5143F453C4C085BC7023CB5BC88DC73B5FDE60171930393C645215D8trueMicrosoft CorporationValid 734700x80000000000000007560199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.820{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\mscss7en.dll16.0.55555.10000Natural Language Development Platform 7 - PRMNatural Language ComponentsMicrosoft Corporationmscss7en.dllMD5=9605B976D5B190DCA0A6A6F3D2ECAF2B,SHA256=AA7527AAAC1DAAE1D97EF0D1BE5CEA412C0653DD5AB0B9B631BD3F569EC7B56EtrueMicrosoft CorporationValid 13241300x80000000000000007560198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.820{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a003c) 734700x80000000000000007560197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.820{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msspell7.dll16.0.55555.10000Natural Language Spelling ServiceNatural Language ComponentsMicrosoft Corporationmsspell7.dllMD5=7685BFAE020B898D319F2670D9E93CCB,SHA256=F4D8041B630477B282ECB822E5B7494DBBA67DCE1AC8F4CA293203E4410DD9DFtrueMicrosoft CorporationValid 13241300x80000000000000007560196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.820{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a003b) 734700x80000000000000007560195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.805{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll16.0.55555.10000Grammar Proofing ServiceMicrosoft OfficeMicrosoft CorporationMSGrammar8.dllMD5=226E8BFDAE2E5157512CD97901C4B3A2,SHA256=D77B275C0502165DA334F8316B2406A2F0E8180CA1D62B774D53BBC6543EED4DtrueMicrosoft CorporationValid 13241300x80000000000000007560194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.789{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a003a) 13241300x80000000000000007560193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.789{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x532a0039) 12241200x80000000000000007560192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.789{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Spelling 734700x80000000000000007560191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.789{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 734700x80000000000000007560190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.789{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 13241300x80000000000000007560189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007560188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007560187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000007560186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 12241200x80000000000000007560185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 13241300x80000000000000007560184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 734700x80000000000000007560183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.773{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msproof7.dll16.0.55555.10000Proofing ServicesNatural Language ComponentsMicrosoft CorporationMSProof7.dllMD5=0B5AE10DC8D082C28CD1F7C66DBF6063,SHA256=53075E69BF554B0560B3E0B5E726B4F34326DBD0967EE29DC84E1AF8778A51B8trueMicrosoft CorporationValid 354300x80000000000000007560182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.957{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59993- 13241300x80000000000000007560181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.237{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\WEF\LastUpdate\Word\CorpCatalogRecheckTimeTimeStamp1 14 17 10 8 121 5 252 0 00 11241100x80000000000000007560180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.174{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-09 17:20:36.243 11241100x80000000000000007560179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.174{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-09 17:20:35.943 11241100x80000000000000007560178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.174{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-09 17:20:35.191 11241100x80000000000000007560177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.170{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-09 17:20:34.561 11241100x80000000000000007560176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.153{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-09 17:20:34.245 11241100x80000000000000007560175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.153{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-09 17:20:33.977 11241100x80000000000000007560174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.153{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-09 17:12:21.747 11241100x80000000000000007560173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.137{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000007560172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.137{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000007560171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.137{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000007560170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.137{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000007560169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.137{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000007560168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000007560167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=5CD55AEE8B9B450DE95D083DEAD5A532,SHA256=6DFD5C7AFC4F05B654DB0A0ED7756CD73C087A782E9A528805A70C0A72836D14falsetrue 10341000x80000000000000007560165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=C3BBC64DDAC38CAAE05DB69C12CAFC46,SHA256=3AD6C5D37F3432096F33E0FAF88C1A2D6A2465C6FC47B50B550F007F02D63C7Afalsetrue 10341000x80000000000000007560163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=C0491A8B6D166055745E075FE462A90C,SHA256=CAD5C9E3095CBA71637F0B437B0B3335D02DB62C569BC5681AF8A5AEF6FA4D3Efalsetrue 10341000x80000000000000007560161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.121{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=5C6D3D2BA05A23D94C5911B053B42F85,SHA256=D0F777DCFB815CC02B8E9913B68EE29493166C3A03C2982C8AC58A6B173520AAfalsetrue 10341000x80000000000000007560159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=EB55CD660878A4211A696F5175A6D560,SHA256=EF9ED297BB39B7DC3517D14C0D9701518D431269280BE98B74BA8C5D32BB4871falsetrue 10341000x80000000000000007560157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=5F02A8415A115A52AF61597B554C6CFB,SHA256=6AAD17C7A3F5615D82F6FE8A35F7A50134F191BA584206C963F6533D0121DBCCfalsetrue 10341000x80000000000000007560155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=086BB3D6A7EEF619D20ABDBFB7F13319,SHA256=482578F23A0698485064DFE38918031CDEFE27D24A8E3DB75309CE4A21C83BE5falsetrue 10341000x80000000000000007560153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=3BA4337E414FA58E1BD44F83D351E343,SHA256=FF282907E597916CBCB4E045992C47E578BA2B76B68D52893AF0556537020544falsetrue 10341000x80000000000000007560151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.106{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=1E0F4354CA40154795A3BE900ECEE220,SHA256=41FF979EC8BAA6AA925C8EF163595B1231E28128C81646EDA7A0EA4AC90FD760falsetrue 10341000x80000000000000007560149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.090{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.090{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=0F4433D0DD1310F12561E1413EB5377D,SHA256=0FC8D7BD8EA6E07D0848DD73AE0915680BB1A4AB733619AF40D5D88990CF3119falsetrue 10341000x80000000000000007560147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=07B8877A6DEEFAE7966B75845C23C0A5,SHA256=2147D5B52D50A06077E95E65BBD1D8F85D51A4D09B0B17BA1643BD8655E624E5falsetrue 10341000x80000000000000007560145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=1D0ED19422F2E7441594C4AFF4377B51,SHA256=3E154B6709581CC20B30605C074970CA70F44852B14501F006D6540D3A20CACAfalsetrue 10341000x80000000000000007560143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007560142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=21E854311DBB5255DDCF1763E0EBC013,SHA256=F08D645527DE90E7D2B5F8BCAEE917C23589C6F79D5BE8CDEE7EC906C4E796B1falsetrue 10341000x80000000000000007560141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.074{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000007560140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:41.946{4DF467A6-3F58-6132-2B00-00000000F001}2948178.134.97.40.in-addr.arpa.9003-C:\Windows\sysmon64.exe 11241100x80000000000000007560139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.021{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.021{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD2DC4769B29BA3AB07BA3F43D4469A,SHA256=4E286258626966F9ECC386022B4FD4E68E88529EE4C83AEF040C1B435527B3DDfalsetrue 23542300x80000000000000002132666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:01.019{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E0B4670F18D0B5CB735A1CB06989D6,SHA256=28D4EEB3999627D97FBE3E6D619D13889CC75504519756C25E3CB7A5D2155DAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.734{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F9C8873E8B4A7B9EE4CDB120DAD3E69,SHA256=893A01B0014399A1BF5A35CA6D80006B4918F85AEFF57C48E467BED65AE1AEB1falsetrue 11241100x80000000000000007560290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFED88621C8FD9D743C0841A82209D,SHA256=3440001548F12A760BD3E6CCC55C4A6711463099A0A9E5AEA5CE18F84EB7DB62falsetrue 11241100x80000000000000007560288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674172829AE3479186AB885EB83E7739,SHA256=48A7AAF8967FDF2B03159CB12ECD414EC4C7192F476BCDCB93A75732F1AFE18Cfalsetrue 23542300x80000000000000002132667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:02.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519C15F208A54AACED47C9C7233D02DB,SHA256=1D6597D2C7F76318D351AB0A20313CDD69691D19BF5B9F171E80C3E0CC620E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007560286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5=2373263A271EFCB847853D2005130CD8,SHA256=1695F052088066960C758300E1876F7E37C5A4DE7DA7452C39ABFF87FBC7D10Dfalsetrue 23542300x80000000000000007560285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D7F865A.datMD5=07FFEFF17A8A1A1209AB3C2690D569D4,SHA256=57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4falsetrue 254200x80000000000000007560284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631294035866275700_F8692760-5F22-43EE-86C3-69A0DC5B5346.log2021-09-10 17:13:55.8612021-09-10 17:13:55.861 13241300x80000000000000007560283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000007560282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities827 15,134 15,2086 15,1074 15,2413 15,2402 15,129 15,2159 10,1001 15,103 15,2324 15,121 15,1000 15,185 15,1445 15,2401 15,1338 50,1338 10,951 15,1282 50,226 15,999 15,1282 10,831 15,2430 15,1338 15,1282 15,1128 15,132 15,2087 15,2328 15,850 15,1039 15,998 15,828 15,829 15,108 15,2323 15,335 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,671 15,111 15,1002 15,669 15,332 15,291 15,1249 10,70 50,2327 15,184 15,120 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000007560281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000007560280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds018409363,20039442,40920709,21378256,19972417,19200086,17134338,34968335,8758344,24131419,19677900,23979203,18375312,18658649,17634580,51655840,18658648,19677907,17183040,17698823,21378211,17650967,18658650,18948503,34968340,18674530,18637650,21313610,18948102,17126295,9319450,18409416,36517339,18948101,18400089,17634578,36761792,34968342,20979747,21378249,21030802,50890251,34968338,34968337,24470607,34968339,7690258,34968341,38013077,6366290,8448079,36274763,34968589,24406167,17182941,20027008,20027009,17182979,7690254,23205313,9176926,17622912,8263521,5850584,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000007560279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000007560278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000007560277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000007560276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000007560275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000007560274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000007560273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000007560272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000007560271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000007560270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000007560269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000007560268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000007560267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000007560266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000007560265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000007560264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 13241300x80000000000000007560263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.020{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000004903DE\VirtualDesktopBinary Data 12241200x80000000000000007560262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000004903DE 12241200x80000000000000007560261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007560260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:02.020{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007560259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000007560258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000007560257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000007560256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000007560255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000007560254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000007560253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000007560252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 11241100x80000000000000007560251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-09-08 15:58:21.681 23542300x80000000000000007560250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=D17E9C118C3A46685D70D280C9D09E23,SHA256=D63DB843932BBC69AC92B9D3920536AB07E6BB0FDF21327C1ABC217C34703678falsetrue 13241300x80000000000000007560249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 11241100x80000000000000007560248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json2021-09-08 15:58:21.697 23542300x80000000000000007560247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=33018E594759256A809F5A15411E1CA2,SHA256=272AC606C01D0ECC249FBAD56BCE15F62E44D7A35AA6701292A9A2A285A6E883falsetrue 11241100x80000000000000007560246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json2021-09-08 15:58:21.681 23542300x80000000000000007560245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsetrue 11241100x80000000000000007560244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-09-08 15:58:21.681 23542300x80000000000000007560243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.004{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=D17E9C118C3A46685D70D280C9D09E23,SHA256=D63DB843932BBC69AC92B9D3920536AB07E6BB0FDF21327C1ABC217C34703678falsetrue 11241100x80000000000000007560242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json2021-09-08 15:58:21.681 23542300x80000000000000007560241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsetrue 11241100x80000000000000007560240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json2021-09-08 15:58:21.681 23542300x80000000000000007560239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31falsetrue 13241300x80000000000000007560238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:01.989{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0Binary Data 11241100x80000000000000007560300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.502{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=895592644F3AC82C85513D3D3D57189A,SHA256=C12428F9D1CBE6D6EA73C249F61973BF4B6486F5617A3EF5B5849F71F0DD19CFfalsetrue 11241100x80000000000000007560298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.402{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99E61A44B641B6AF9F4E7DF8D7B324DF,SHA256=C0B2CF46ED314B3E4144A771200948EEDE00BD5CE93753698658C56E58725037falsetrue 11241100x80000000000000007560296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB9D036665D52EE8A409596D0218C38,SHA256=CC2DC9F6F950B677575002E248A78FB10F131451F61152244F6E469F23667F71falsetrue 23542300x80000000000000002132668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:03.024{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D78B7DD823FAEB8A84068B6AA655C4C,SHA256=F9291A8B99984EBF2B8ABB4425B0D5AD1A500146B34D6B8F96A9594F2E0B27C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:03.102{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D6FA14A0B9B6230F375F8240C43AD79,SHA256=3C8741E64A6D6C897038C097C65CA19AD930521E86B4EEA79DDEBF69D7CD1B45falsetrue 23542300x80000000000000002132669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:04.026{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45059CF11FD3DEAABB14434ABC471B2F,SHA256=A1FAB77C693ACDCF67D6D78874EF9D472CFEF3D908416090775402203605C913,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007560316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:04.984{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000007560315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:04.984{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 534500x80000000000000007560314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.347{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x80000000000000007560313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.347{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{52E91140-DCC7-4E56-9B1F-9AF304C3BE4F}.tmpMD5=F80D7990BE10205A2A3F608B5642970E,SHA256=CF99255CB3C50FCE6708809E944464AA50069F8ABA042E32EF02AADA3E793680falsetrue 12241200x80000000000000007560312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:04.316{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124 12241200x80000000000000007560311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-10 17:14:04.316{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4124\0 13241300x80000000000000007560310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:04.316{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\4124\0Binary Data 12241200x80000000000000007560309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:04.316{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\4124 23542300x80000000000000007560308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.316{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=4B1B940FAEEEB5170D44AB11F632E686,SHA256=46AEEFA4B8DADA31B657EC9B7883D03CBEBAAA423819B0DF7F5385783E4AA48Afalsetrue 23542300x80000000000000007560307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.301{4DF467A6-9253-613B-A322-01000000F001}4124ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=158AC56A0A6D2BF272BB47F6FA2D1F8D,SHA256=623880F7281457B9817C8DC3FBA9A794656E03F14796C977DFDF48C2C688A5B2falsetrue 11241100x80000000000000007560306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41D5209D534DE9FBD3170B92CBD6B49B,SHA256=95898AC1DD9CFACB783EBE98B58022FEA946704EC81F049236780E11AD7AFF4Efalsetrue 22542200x80000000000000007560304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:44.944{4DF467A6-9253-613B-A322-01000000F001}4124self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 onedscolprdcus01.centralus.cloudapp.azure.com;::ffff:52.182.141.63;C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 10341000x80000000000000007560303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.201{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-9253-613B-A322-01000000F001}4124C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007560302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:04.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBC7B53C2C9F4D8ED3F47D979464E92,SHA256=F61DE61079A030EF6A03A90DC9D4BC57691CA4299149310DAF72E97335607CB1falsetrue 354300x80000000000000007560322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:46.112{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56966-false10.0.1.12-8000- 11241100x80000000000000007560321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:05.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:05.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF9824E0DBC84EB6EF8D7E224ED59A96,SHA256=86E5CD79601B59C92A4443488D8D95DE034DA6C31ADC9BCEFD7001D36F17FB5Dfalsetrue 11241100x80000000000000007560319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:05.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:05.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FB11138DB606B6F9BAB55AD1A464E2,SHA256=65FB3D74B91C597B346C42B8D2AD935DF3B930C33C3BFEAB10836DED8684B523falsetrue 23542300x80000000000000002132670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:05.028{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBB03867E27EB52F360697E29E6718D,SHA256=6DF4BFC4679F4EEF774BFA698EBE515FF2554E922F01A2E339915CB02E1BD8DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007560317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:45.025{00000000-0000-0000-0000-000000000000}4124<unknown process>-tcptruefalse10.0.1.14win-dc-291.attackrange.local56965-false52.182.141.63-443https 11241100x80000000000000007560324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:06.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:06.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94293505129936DAEA9472C4D9FFDB93,SHA256=BE271FC107887D689120054DBBFF182B0E0E7EA5A42A084936CA05DBA7495466falsetrue 354300x80000000000000002132674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:13:57.892{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62428-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:06.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43903F7D360A3F9A0C769F7C6B757E,SHA256=7B9A9E2F92B147FA9B04E206991B75C743378F5D2EEFF2DD9E8CF0FC60291B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:06.111{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FAF07940C7CFFC68C893E6052830C39,SHA256=53366D75A5052163DE636C815435BCF416656B7427B48348BFBF22578074EB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:06.031{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A471CDD57268E9602255D5238A89E1,SHA256=AD0BCDA2A17733BB5ACAEA3B22B1490EF4472AB811598DA488FAAA51942FB101,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:07.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:07.643{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC5B1C2E6432AA3A6E452F1E452D37B6,SHA256=23315968F69C3D15AB1DC048052415F554B6DE2081283DB0C9A9755C2DF2C8A6falsetrue 11241100x80000000000000007560326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:07.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:07.262{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170904FF3B93EEC60746976181C24229,SHA256=E2360A650654ACCDD39F05A4F8E01A0A00FAAAC87DC331BE8169E472972B24CFfalsetrue 10341000x80000000000000002132688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-925F-613B-BF1B-01000000F101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-925F-613B-BF1B-01000000F101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.950{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-925F-613B-BF1B-01000000F101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.935{AEE49BD1-925F-613B-BF1B-01000000F101}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:07.048{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E52A56F88D16B11BE06D9C82048C844,SHA256=3085599E7E4FB083201E6B015D95A2555C88D42B4A54CE0C7E6028F20F3BF2DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2313B9B5FA7588FC689E02499D3CD272,SHA256=72A10D6C2292AF899CC244FC02953AF238F8D958F9172F4D6BFB03054B44E72Afalsetrue 11241100x80000000000000007560332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A1BA210BF859AE3FEEC7E2598693B1EB,SHA256=0C7565CF864C7DA42ECE0C21D55ECCF58D466D7729BB6A47E1B2D95CEF056C8Afalsetrue 11241100x80000000000000007560330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57790F460C50A91E72949200F92C2043,SHA256=CB8D3C3A4984C6C18D6BE47BCB05A655DBBCDBDE3AB76CD97EF4E9AAC7F0BC65falsetrue 23542300x80000000000000002132705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.966{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43903F7D360A3F9A0C769F7C6B757E,SHA256=7B9A9E2F92B147FA9B04E206991B75C743378F5D2EEFF2DD9E8CF0FC60291B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.750{AEE49BD1-9260-613B-C01B-01000000F101}57325648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9260-613B-C01B-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9260-613B-C01B-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.619{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9260-613B-C01B-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.613{AEE49BD1-9260-613B-C01B-01000000F101}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002132690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.081{AEE49BD1-925F-613B-BF1B-01000000F101}60005744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:08.049{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D7A1F60D723633F65B28C2B841757,SHA256=9F009F65931D11BF2617171D766B99C92D42A783A95A9F2FC4BC891F33D8241B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB06E29A9969D3A6F6E8B2B2B2E7583F,SHA256=6D4807A750B4A9CE010EC1ECED927D9D46F38A2B858B97C5190924AAC2DBF59Ffalsetrue 11241100x80000000000000007560348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=B122AD5A89964AE6E6751D40961B0CFD,SHA256=9EAFEA22A8B2C78A5A1A6DA92DFF41491E894DD61F8B373A304D6301FDF07DFDfalsetrue 11241100x80000000000000007560346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=0B876686AA958A2CCA3F70FAA045AC47,SHA256=63A8131A48E93D8B20348FAC49C1F8CC3CA9809E7F832D6A77B46DDEB8F87C65falsetrue 11241100x80000000000000007560344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BE5DC9632C4B28A69F83D078943C6E73,SHA256=8D5A060FCF70AB8EC3CB944DCF44ADC4B4FC10F2B6AF131ADAA82D25F30E4A4Ffalsetrue 11241100x80000000000000007560342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=E17E8FEE3ED3C787A75335B2F1D22E05,SHA256=E0F46DFC87CAA007170DE93848C18B9A9CCF3B68A8C7995093A02838D94D4C1Bfalsetrue 11241100x80000000000000007560340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4564B9DFA453D8C8898CB65047C25D2,SHA256=1BDA11E2D25496EE30510901969353684F5B01B7F3A4788BC1DE8CFEC075296Bfalsetrue 11241100x80000000000000007560338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=BB4721430072E7ECF43637BEFCED603D,SHA256=4B95C6B86EA5CF7B8E0334BEB64E64D299E0CF0CA47F7BA5AE77A117AEF89B68falsetrue 11241100x80000000000000007560336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:09.309{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=02045DC6E90C28256EFFCBD8A273449B,SHA256=FC403BAC929DF6174237DF93EA54AB6B6E775E530FCCF9211AE8D63879AC8BEBfalsetrue 10341000x80000000000000002132720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.419{AEE49BD1-9261-613B-C11B-01000000F101}3523284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-9261-613B-C11B-01000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-9261-613B-C11B-01000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.298{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-9261-613B-C11B-01000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.283{AEE49BD1-9261-613B-C11B-01000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FCAE96E99B48CFD7ABBDEAC56CA733,SHA256=7E119A6AA5C1AE89AB7E5AC07B6EB7E478C4FCF391789BD00577A7E8B04CECFE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:10.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:10.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCD148F385E51CBCBA1EADE2F15E6F0,SHA256=D4BA098DBF81C1677FE550969C30D60A9A0C4E1D69DAF992F5BCEC5D0FE98875falsetrue 23542300x80000000000000002132722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:10.316{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F6E419BA7003392432F6E9750CD67DA,SHA256=BB42F1E731434050A2295E6EE8A4A3E4BDC5F122C8D783F25D066D13508ED5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:10.098{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DD5CB15ADCA02B4F2EB8D77A951636,SHA256=5F2369690CAA2C5218CDC46686E6793C1B550D21DBFFDC364C1BF22CC6666480,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007560355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:52.071{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56968-false10.0.1.12-8000- 11241100x80000000000000007560354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:11.355{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:11.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFCFF413CA86D78701D99160DFB4DCE,SHA256=BB82505A4E87259F909CE74BCDE2939C5A2247D2B516D579CF19B30C96EAE85Afalsetrue 23542300x80000000000000002132724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:11.720{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:11.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48350E1555EDF5CB7F6662A81BD543B9,SHA256=7F40EFBA00C3C0AE48A286D34AAD11585B28CD16B97F8B6FB14FD70019614F55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:12.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:12.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9AAA8B96F1AA305DA96F8FCCE21603C9,SHA256=5E21B1E6F41CCCEF9ACEC5B027C157EB841BCD79B01F40263FF998964EB67B25falsetrue 11241100x80000000000000007560357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:12.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:12.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E907AD70090EC012970539B93ACBFF,SHA256=FD334DA1935C014E8C973D40853EC16CC5D304B48F621564D369A1F40ECB5DCDfalsetrue 23542300x80000000000000002132726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:12.138{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D08E457FB26158FD7582B9AFBD4B08,SHA256=CA631D0ADD3DDA615A75EDD2C4A0E947C0144BB3A2D47E04BB1B94C6D814EC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:12.138{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB512ABBF14CFACBFE29F2BE5DC2518E,SHA256=DDA197CB34A670DFEA079A9503E3AAC3654A4521324092896ACE712B42E36E09,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.586{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=77BE60FECCA7FD9F9E2A078264A49F1B,SHA256=D01C6E40F60E283EFCEA57EFD333AE6F614F3487178C3EEDA9E2BFF240EA66FBfalsetrue 11241100x80000000000000007560363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.518{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9ABC7F3D8E051417DFB0EA06930CA7BA,SHA256=0646049E784CF8CA6953CF9924E7392E86E30F4E307266BC4ACFA13D88607ABCfalsetrue 11241100x80000000000000007560361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:13.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1277F66F7B571CCBE161434DF1A2D60,SHA256=C6D78FE4D795DC599BD77B3CC1EEEE4323B3C223FACC7BC570A4950D21C4521Afalsetrue 23542300x80000000000000002132729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:13.140{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2D1EC4EC7DDA26463682E1BA10B287,SHA256=3DD4031161638C9F7047F44883A919D7C519481CEAB9B9D122F31DDA0D672A5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:04.486{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62430-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000002132727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:03.885{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62429-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007560379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.385{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE5CAA03BC9657D88B50EEA88B0DB4A,SHA256=1681943610AD883EE1C73BEEDCDB922E58A5150DA4C7079A74F33602AC4B9D4Bfalsetrue 23542300x80000000000000002132730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:14.142{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E939507DDC5703D1957C92CE451022B0,SHA256=B4B4AA1BCC5031D7455C147ED4B8F9E5AC83E838B8A49E62B447319D9969B5C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=323CD490D70830E49E2ADA47306D1060,SHA256=98E4CEDA4A9F76AE5A28E0B4CE36236AE98162192FBDEA6DF59C1112C0C89A58falsetrue 11241100x80000000000000007560375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=26D0A983843BC468D162801BAA005A26,SHA256=3147C0487B51A4E45FC6B80D8D971651769C0BAC0A1A764CFD5E7A6090179AFBfalsetrue 11241100x80000000000000007560373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=6E995689EBC9D9C1A981FAFAA55C952B,SHA256=AA24B414F17D4ED29DC5CC1321C1391454B6AD474BADA6ED326CFB9EBA260183falsetrue 11241100x80000000000000007560371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=263EC58AF5EA9B7EEFE0BCAF65A14555,SHA256=D82C1C093B3618C842EA7D90EF153797BB4624B4C2C90A07C220F073A1FE9475falsetrue 11241100x80000000000000007560369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=698FA33C4D6FBDDCC80EE8DD874C1C3D,SHA256=9160B3FA4CC5C2A2E11F2160ACDEE552B24E13C10D8222976798E0B1427DE9C0falsetrue 11241100x80000000000000007560367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.332{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=1440F9D286933AA57F6FB5BB23A53C45,SHA256=CBA9227B29A4F47A0800D9BDAE36F407BC207F268628262C5A0AA89439DB5201falsetrue 23542300x80000000000000002132731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:15.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66F1286CD10FEE1FE945C7F71156AA6,SHA256=CD7D2029E448A8F7AD2AE7283AD70CFD3DD6E28531C9425829E23AE1E204BA72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:15.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:15.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A8EC70090F7C558D3E2DDC307813BF,SHA256=F85D85DAFC1C3EA27A098378C7EFC6DBC28A548D03BC585EC16CB645468A373Efalsetrue 11241100x80000000000000007560387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48760899A66D96D1AB121FDA9F9E7F8C,SHA256=227358E094EE3E371424D188F5E81497D7EBF4EF2E388D5D79A7B7C3996D7A4Dfalsetrue 23542300x80000000000000002132732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:16.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BF8AB067BF1CD360115651F040BF0E,SHA256=F549D04A9FF41EA151310E363B1ECB36B003844892DC348E6E5184F6758B5963,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA3740A74C5A54EA447E83496BC20818,SHA256=D2CA9DE8640F93A04C6A4F4E50CD99AC96CB03E837E69A28938E490CCBBF3EABfalsetrue 11241100x80000000000000007560383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:16.067{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F43E7AD7C27360C674B0309EB98EFEA9,SHA256=83AFC0F0E21C28A55BF0CDCBA16B644B71353710F66E3A0678089C51FF5DA65Cfalsetrue 11241100x80000000000000007560392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:17.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:17.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1DE0165600AE56A92DF6F52DA9AD443,SHA256=0D0387B3D6B0AA95B2CC224723B9382C9C7C287D20BAA1CB21C49D3EAD55677Dfalsetrue 354300x80000000000000007560390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:13:57.909{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56969-false10.0.1.12-8000- 11241100x80000000000000007560389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:17.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:17.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B00057CDE5B138468F0BBAD1019415,SHA256=74B592CA9D408B666CA89CCF61FA237E35A2654321F41A14F00C0BC04191C08Ffalsetrue 23542300x80000000000000002132733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:17.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142A85D3AE5CAFBF902C32568F4C3366,SHA256=D4D3D4579DA1BC6F7E7CF30DA4143BDFBDF9B5ABBB2BB6EA97E3F1DAAD434699,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.843{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57200B8A2ADF3179E804EED1C6363248,SHA256=59A2EFF183B77F5B38ABB8B01115E7E183936A5079A9CBF40DEE0A86ED7E0DFDfalsetrue 11241100x80000000000000007560408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=092466AC4276F17080F6333924837AF7,SHA256=E4C9E26C6E343BD2D667DC715C401594B0B631D2BA80470E6504B4E8657DD9E4falsetrue 12241200x80000000000000007560406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.746{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.746{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000007560404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000007560403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000007560402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000007560401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-10 17:14:18.746 12241200x80000000000000007560400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000007560399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000007560398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000007560397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000007560396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.746{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-10 17:14:18.746 12241200x80000000000000007560395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:18.741{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007560394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.463{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C498A917C102123980A4061022F45658,SHA256=361B3F5EFFBE554E6D2C715AAD492EDEEEAB7A20728EB7DFA898E3EE07350E94falsetrue 23542300x80000000000000002132736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:18.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EB0B4B0C3BE8560BB9FFF36DFEEE06,SHA256=899E9004CE1DE3BFBD214B7622DA82AF26B28035D47AB11BDF204318AB0C4482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:18.065{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FD4F498FE0CCAE0BE81E35D172AA73,SHA256=C9D9C52ECF9DC552AC5A95328AEAC5010E9994E03EC8026CC3CD01846F7E9ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:18.065{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68D073B2E506DC133F7B5C4509D1CB8,SHA256=793EA0995D95F4F030B45C1B4825EFBA22876E6E17D35183808ADA28C34CC7F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:19.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:19.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA3740A74C5A54EA447E83496BC20818,SHA256=D2CA9DE8640F93A04C6A4F4E50CD99AC96CB03E837E69A28938E490CCBBF3EABfalsetrue 354300x80000000000000007560417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.616{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56971-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007560416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.616{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56971-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007560415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.604{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56970-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007560414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.604{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56970-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 12241200x80000000000000007560413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:19.760{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007560412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:19.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:19.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7FB0E31505CCAF465EE09624B95120,SHA256=364BAAF4A2351486BA722BC8BD7D3774EC2648035A2D62AE949134929572D1F9falsetrue 354300x80000000000000002132751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:09.849{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62431-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.152{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBE407BE0B9577EC0010DC2E01D1E96,SHA256=9184AFCAC2968FFBEF5F061811463D8884BD4CAC16A654B7F1653BCB45489048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-926B-613B-C21B-01000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-926B-613B-C21B-01000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.099{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-926B-613B-C21B-01000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:19.084{AEE49BD1-926B-613B-C21B-01000000F101}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007560427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6328B008CDE279C44D94D20133D3C90,SHA256=7D52E17A57A561F11A001AB9E20A2378A5FF5E801C1E4F0D8C507FC2B58F6E47falsetrue 354300x80000000000000007560425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.621{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56972-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007560424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:01.621{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56972-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 23542300x80000000000000007560423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.575{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\aborted-session-pingMD5=3BC1AC53A71CE63CE9EF62320D1F6CF2,SHA256=1C12F428E49D47A5E6BF441CD7CC7FB05494403F5A9269619C00777FEC10F911falsetrue 11241100x80000000000000007560422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.575{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\aborted-session-ping.tmp2021-09-10 17:14:20.575 11241100x80000000000000007560421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:20.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C09C259DA7B08A02A4787949BE5E6CE,SHA256=458825F408039D7364A3AAB1BF86DAAAF7D6D379C3051C14A395EAF08B0B6020falsetrue 23542300x80000000000000002132754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:20.370{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9922MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:20.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED3C262B51BF215D8C50BBE242F3744,SHA256=DA8AF6DE1D62BC54DB581A6242025DB66183A26ABC2F18610E6E403C7F5A9ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:20.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FD4F498FE0CCAE0BE81E35D172AA73,SHA256=C9D9C52ECF9DC552AC5A95328AEAC5010E9994E03EC8026CC3CD01846F7E9ECA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F8C4551DC5AAB3A69A1E999A40FF1A64,SHA256=964AC7190A4BA3D11DBA10581CEC2946C0B30D6E12B37961C40736090462390Afalsetrue 11241100x80000000000000007560439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=A4BB12F38F7F8AD60F35254884B4FCC9,SHA256=4F9F3A254D64887EE7384BE5D2B9EEA58AF7A44D797D56CDA359C4CB922FA3BFfalsetrue 11241100x80000000000000007560437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=084EB0A74057DD48F714209ED4A4AE25,SHA256=6693BC8BCE0D414EAD1B69E1205D8D69D853C67D20CFCDE077A8B8F2BBA4E881falsetrue 11241100x80000000000000007560435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=A5AA0AEAE851E55E4BA194D9A0D6FF76,SHA256=A24F50629A16BA2E64217E3ABD3C2FF30B769F79CED49D63D6DECB601C1669F5falsetrue 11241100x80000000000000007560433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=52171D7D95E2C96B8EAC648DC8314938,SHA256=F9616D7FDCDDB346FF5E4B27C630AA796BF705AD970F706D83E821FDB6977052falsetrue 11241100x80000000000000007560431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007560430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.804{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=9F6ACBAAD716E40B5EA30DB7B03B8D18,SHA256=B976B9F228240BC6789E0E84E2F078F3C029F47CF47F78562FA2070914F070C0falsetrue 11241100x80000000000000007560429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:21.520{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251B8D4540F50104A7E2AE8697849D63,SHA256=5381AC129030623AB12691954037F877CE699ECE4093B27BB7A9FCB8450088BCfalsetrue 23542300x80000000000000002132756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:21.370{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9923MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:21.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A458D20440C8EF3ADA73D0FED3D6F65,SHA256=BAFB014C8EC8B12A51ED51ED9D055A3338C9172599139C7A51E087FE100BFE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007560446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:02.969{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56973-false10.0.1.12-8000- 11241100x80000000000000007560445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:22.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:22.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C89221DD02F38E6F69FD760CC0AAEFB2,SHA256=E79FB9F636CDC03B2339C38500221AF434CCD8E72FDDBBFC5B3D7143D729F7ECfalsetrue 11241100x80000000000000007560443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:22.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:22.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935365091347DFD135CD485B6668AADA,SHA256=2E6EEB04AF42305AED6BEC288AF2294DF8F3493911C970536E041B008FCF22B5falsetrue 23542300x80000000000000002132757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:22.171{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA31C65D3654BF16B70A725E56A3823,SHA256=5A85D7C4D86A99942A56A63880C68A2DED904109987D6A27A99109E5335F76B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.869{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86B2D83816F030167A94D12910FA6BEE,SHA256=4EBA54487F4F9EC07D7E584115A6DE84E862426A137A64CD5AB72CB0C17EF6F6falsetrue 11241100x80000000000000007560450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CD50A92FBD787614F051E85765D64086,SHA256=4C66D243A9FD44F274D3A66ABA2FA2803943B2E2BF2098C4D77BD1CF43B3E715falsetrue 11241100x80000000000000007560448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:23.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FA197B420C3E356EDBD2C0816CE1B2,SHA256=FC7F49DEE3CAED6767EB149E6986F6CC2FE7C38E1C3AE08DCC956C3C20E3435Afalsetrue 23542300x80000000000000002132758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:23.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061A6A52DE1D72D4836EA5BCCFF45095,SHA256=1AF88AC9B4B54635BB152E344D5675A4DAAC3BC99EE83A9E71C70800CCD8B618,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:24.568{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:24.568{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D02EE0F510881E7C7D8EA7C9D9E5CF,SHA256=E0FB798DC4ABD42D5DBDE39618FCC98C9E5DD4C552FB708B4FF15C6ADFFFFEDCfalsetrue 23542300x80000000000000002132761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:24.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55E7CD829C908615CBB39EC77C46C0,SHA256=C8AB4EF106535CAAEBD27CFBA58F68CFF3DD56A706E8192C4CDBB1372D6820D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:15.858{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62432-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:24.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CFDCDCF29A74306E73D8596F3C708E,SHA256=038B0FADB12E627AE763F719120B095A6751DDFBF4C1FA6203D500DEC058AA9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:24.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:24.333{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC16F55C018750D540E318B7FECFDAC,SHA256=7C4717BD0DDEBE5086E6325663B40DC0AD2085B04E5D377EB5444BCE33A0F69Ffalsetrue 11241100x80000000000000007560458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:25.613{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:25.613{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440E6846359D3E45BCD3F8FD055EA830,SHA256=9159969F21C79109D8E40FF9ECD5F55A1647573D2AF12C2816092531E4217008falsetrue 23542300x80000000000000002132762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:25.176{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A34A64A82F17DB3741C95B4708D108,SHA256=754B45607D5E60639E70831E90240E5562F182F28D0918DE8DD90CA4C7B799D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:26.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:26.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ABDA3B64A4458EB3E85A675220F86A,SHA256=45A6A39DC41B0B67367E2A8FD6DE183EA92DC9C1DF8BAB5319BCAD3D7A49D4F0falsetrue 23542300x80000000000000002132763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:26.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05794D6E8D5D8A05780F38C51BE0E452,SHA256=8F84262639CAED6269ED37297DAE28188E3E91B1BBB2CB939FA59781E05446EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D6F78E31BE272E9CB897A978EAC2CAF,SHA256=A10A5EC5C82E83296511452C42178011638EBDD9CA7856A59438477A57DAB4DBfalsetrue 11241100x80000000000000007560464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B723176DFB2D25A551CA586CE06EA5CC,SHA256=08C222A951FF985743CDB9F081136A284D64441FC3CCE4E0376895E868670419falsetrue 23542300x80000000000000002132764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:27.181{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0AFADAF65154AB82132550A9AD50EE,SHA256=C6EF5F8DD3B0AB2FF7FF6C285F83DB12C7DCC4496D8D80FAD8F73D6BF3233A6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:27.148{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2160F6C71AE1E659D2478CFA605B9EA,SHA256=4642C4D3237E4CBCF56D57A5833C8FCB14459BCC30D813B685B0CCDFC0407DEFfalsetrue 11241100x80000000000000007560473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.976{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFB2C319B51CF82791FD50DA8DD3B97A,SHA256=E224C83F6B06E5B6796E7CA862805179A330C60BD0A3C618267883C420F9C7BFfalsetrue 354300x80000000000000007560471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:08.992{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56974-false10.0.1.12-8000- 11241100x80000000000000007560470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DDA060DCA15DDC10BC830E208CF4BF33,SHA256=11ECFB090E195A90A27E1ED2B0516E267795B3F1EA7821A4288C6C058DBBA4C0falsetrue 11241100x80000000000000007560468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:28.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C0A3F2CF3A25363940FF8679E12342,SHA256=2ECF831AAA4EDFEECDD9DE0EAA014CBB936E6C9D7BFE63AF8B56CABB79B63A11falsetrue 23542300x80000000000000002132765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:28.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED9663FB063F32456C6637F53631FF8,SHA256=2C9662869EBF1DD9DF6A52AAE1F74E856BFE03ECEB999DA3728ACB79E91D45A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:20.932{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62433-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:29.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF1A1C735D1FE3C939A9488A92893FA,SHA256=E2E45EA89D71DEAA76CBB9E05634DB2787D27C64CF8C52AFFA27BD0A642863EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:29.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A246EE886320F5D770BA2DA893A048,SHA256=4CDAC657BE8D046A05A9D90F786AE6AF30C300EC97DBA4D10A4F68EC021CE448,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.326{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=799528D07DB6F721D25343BC93A254C9,SHA256=8A9BEFD924E41669C91E30117A785125D32432869FD64B1D9DC5454D70E804F8falsetrue 11241100x80000000000000007560498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D432AB631E26C96CAC52ECD7A7DA9640,SHA256=2088400F76E1DAE74764E61619194814B6758772ECEE9189E66EFD0A44BACD4Dfalsetrue 534500x80000000000000007560496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exe 11241100x80000000000000007560495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D432AB631E26C96CAC52ECD7A7DA9640,SHA256=2088400F76E1DAE74764E61619194814B6758772ECEE9189E66EFD0A44BACD4Dfalsetrue 11241100x80000000000000007560493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000007560492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EA301FC888CED7AEA9381CCF4FC209EF,SHA256=2266087D129C9B869438D1DC556BCA5969F495C4C93AA8C5E51683F002FE1BBCfalsetrue 12241200x80000000000000007560491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 13241300x80000000000000007560490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data 13241300x80000000000000007560489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data 13241300x80000000000000007560488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 13241300x80000000000000007560487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201) 13241300x80000000000000007560486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000007560485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000007560484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323) 13241300x80000000000000007560483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0 13241300x80000000000000007560482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005) 13241300x80000000000000007560481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data 13241300x80000000000000007560480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003) 12241200x80000000000000007560479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:29.291{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB} 10341000x80000000000000007560478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.291{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007560477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.291{4DF467A6-3F46-6132-0B00-00000000F001}6367016C:\Windows\system32\lsass.exe{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.291{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007560475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.291{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515trueMicrosoft WindowsValid 734700x80000000000000007560474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.291{4DF467A6-9254-613B-A522-01000000F001}6516C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 23542300x80000000000000002132769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:30.186{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A4E0B22DF0617B4861549EF4E6D708,SHA256=AD754CF88A0D23F21BA5613F150618AE8F05C27B4B1BCAC7714AFD196FDF3D84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007560505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A559BFF64C9588413BCC7EA4B329AA2F,SHA256=1BF4A7E2D7831E26E3E7F037E9A370CE5F2400608996FC3AF08AA8C8DB617ED6falsetrue 11241100x80000000000000007560504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007560503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000007560502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4292F91B5EED07EDE4D43A5B3452DBE6,SHA256=D2EAFCF4C1D8477F186BCA212FABE5E85E2C5D37971682AE127C781C1162BCD5falsetrue 23542300x80000000000000007560501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:30.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=18B07C4E4EC7AC511EF2ED6AA8FEF385,SHA256=CBA20D324D1E629EC93CEB7DA6FB24107FD7B18074ABDCC6CB2B1F9DF2ECC0D6falsetrue 11241100x80000000000000007560508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:31.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:31.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA2649016B807AAD7BBD7F90CF382E1,SHA256=96B1BFA6E61D269E665079BA607D1B4A8615A3D1F9CCA5735A3F47B2A3420AEBfalsetrue 23542300x80000000000000002132771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:31.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E994AA8D69D0AECCB385EDF443629999,SHA256=090D753C5D989B6C4CFD9A3A99BAA6F812F978F2528E497032AF8510F0141430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:31.188{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=023CD1C366C96D7604CD7FADCB9F66A0,SHA256=B508BD8A98F8392AADC98394677AB08585719A780CE819739875AB1C8A48F9E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.838{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D89B396DD995676D70786E924340A3D3,SHA256=DA962434C0D8611E5903FE741FB24DB5CEF10965F41E4978059DBE53CD6C0915falsetrue 11241100x80000000000000007560512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2237374A1D0A926FDE707FD99DCF65,SHA256=88A0D7388B3A83C8C13A2C7C3EED4799D33F89677715531871573333844070C7falsetrue 23542300x80000000000000002132772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:32.189{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9351A41DDA39C052355CD3E974BACA6C,SHA256=63B44BF1A9F08638E57E2AE2C0F48AB8393B93CE6B1F1AE6E7A3BD3CC3F5C6AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.221{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:32.221{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA76D952F6D6E818D3907A6AF02FDB9,SHA256=40D7A01151A6F5C653E5937C48AF816A6F8AD478E570B54D0E4045A2754CBB4Dfalsetrue 11241100x80000000000000007560521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.952{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17DAE169796780A0C7EFE50B69A847D0,SHA256=F1E8BE0912423FE1CAD1A5977F661A11025F031B7E65026409083A0C08967B58falsetrue 11241100x80000000000000007560519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC3645CD28B9B2D06004D8C278A1AA68,SHA256=6179D0CBCAA205EA1BBA178D00D162A283A770ADC2E9709AD410B7A6D00E3DC7falsetrue 11241100x80000000000000007560517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:33.500{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890895ADBF8DB9265FEB7CE0D70E6B30,SHA256=687742777DCE1D1248E26C9DAA913D0C35A4077942F01A381E49F9842E46B5FBfalsetrue 23542300x80000000000000002132773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:33.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D559FB6AFC9579B73D214591A2B324DA,SHA256=5C3414254D05F8623D49A1A090309497AB39159953F7AB1A89D305B630EDE43E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007560515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:14.065{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56975-false10.0.1.12-8000- 11241100x80000000000000007560523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:34.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:34.517{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09220E3DD90AA5832A6DA6AFDCC48B2,SHA256=42D40A62A0D0A75D30EC52B162B0BE6D7C3090BBDB2ED9E3E4D85AFAFC50BC93falsetrue 354300x80000000000000002132777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:25.992{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62434-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:34.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC4885FB695C3A7C80B3287868CB1D30,SHA256=EE418F3938AB32D2638F9EDE52F5B19CAA3D4ADA7F15824E1903CA61A31AE31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:34.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74062E038BFEA2DF5D32E24D7F83518B,SHA256=9026B11B090C4D7E8D5C183BF7382BF3B4AE6A806CB9C0AEF8421853A1E1AFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:34.194{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A115D9E8F5DCDB2D9FBF019561160ECB,SHA256=B1F334D1FB77211B7DD2763D35D53EA06F2ACDA6BD78001B2C05B5DD8404A82F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:35.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:35.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E4DD9DD4DEBAA077A9B87B49D9AAF1B,SHA256=82C379FEF7A5971599AB7F3ABC7BA6AFC4E42393A48420E4797DA167C97CAD51falsetrue 12241200x80000000000000007560578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.565{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.549{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:35.533{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007560526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:35.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:35.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB21C498F3128994BCDF8CD8875986A,SHA256=0B34D75071791497817C6BBC50E1E8A5EC7F5A1B50959F3D0CDE052B0B81551Afalsetrue 23542300x80000000000000002132778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:35.196{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF0EEC40CFFA14BC4A27396E068A251,SHA256=6152DD780C8C9467099C040F6787FDD81900A1EDF715852ED0ACA4AFABB0D0C4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007560524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:35.034{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 354300x80000000000000007560631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.439{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local57183- 354300x80000000000000007560630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.438{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49621- 354300x80000000000000007560629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.437{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49428- 354300x80000000000000007560628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.434{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local58261- 354300x80000000000000007560627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.434{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57615- 354300x80000000000000007560626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.433{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56242- 354300x80000000000000007560625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.432{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59847- 354300x80000000000000007560624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.432{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56062- 354300x80000000000000007560623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.430{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61646- 354300x80000000000000007560622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.430{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51096- 354300x80000000000000007560621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.429{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local49342- 354300x80000000000000007560620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.428{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60065- 11241100x80000000000000007560619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C3EF0DB25C10168DA5867FCCB8718C,SHA256=201210396AF76E47E3328556C481B96C75A7BABF2A26D79A90128BA0F4764E41falsetrue 23542300x80000000000000007560617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.766{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9931MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007560616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.765{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99312021-09-10 17:14:36.765 11241100x80000000000000007560615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.764{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99322021-09-10 17:14:36.764 354300x80000000000000007560614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.427{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51615- 354300x80000000000000007560613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.426{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local62016- 354300x80000000000000007560612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.426{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60249- 354300x80000000000000007560611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.425{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56954- 354300x80000000000000007560610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.424{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61357- 354300x80000000000000007560609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.423{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61031- 354300x80000000000000007560608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.421{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60007- 354300x80000000000000007560607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.420{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local60968- 354300x80000000000000007560606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.420{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50567- 354300x80000000000000007560605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.419{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51098- 354300x80000000000000007560604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.419{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49483- 354300x80000000000000007560603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.416{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61595- 354300x80000000000000007560602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.416{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65211- 354300x80000000000000007560601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.413{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51118- 354300x80000000000000007560600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.412{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local61709- 354300x80000000000000007560599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.412{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63391- 354300x80000000000000007560598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.411{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local62017- 354300x80000000000000007560597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.410{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57998- 354300x80000000000000007560596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.409{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60001- 354300x80000000000000007560595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.408{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local58070- 354300x80000000000000007560594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.407{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50991- 354300x80000000000000007560593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.407{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local56124- 354300x80000000000000007560592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.405{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local60531- 354300x80000000000000007560591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.404{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.14win-dc-291.attackrange.local51060- 354300x80000000000000007560590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.403{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49236- 354300x80000000000000007560589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.402{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-291.attackrange.local56013-false10.0.1.14win-dc-291.attackrange.local53domain 354300x80000000000000007560588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.402{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62048- 354300x80000000000000007560587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.401{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62048-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domain 354300x80000000000000007560586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.397{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56977-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007560585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.397{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56977-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000007560584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.396{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56976-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000007560583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:18.396{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56976-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 23542300x80000000000000002132779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:36.198{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AC92E635B463D6261EBF5324E730EA,SHA256=DD3210C1BCB3793FDC6A33B8CC96694F5B19EBDF65AD8CF93039F478537632C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.549{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3608289927B81A3AC81FA5400388E6F0,SHA256=BFF910805E78C234ED7E28E3ABDBD053E90CF2465276835751902F8D6C6BB6A5falsetrue 11241100x80000000000000007560636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:37.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:37.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB76F5664D6BCA2A7F5A905D5F0995BD,SHA256=2F540AC1C7FA982F4F7CEEC6F32FB350B5368178CA15703FAB8FA8F3F0D8EC07falsetrue 11241100x80000000000000007560634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:37.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:37.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8548531B78B25868FD4F43CB057276,SHA256=0F353A890B4A344C68393765A3CEDA9ED60AAAFC71777DE11C1772E0AD87ADBDfalsetrue 23542300x80000000000000007560632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:37.779{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9932MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000002132780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:37.201{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B9B336ED4F7B45C779518D13E6370E,SHA256=7B619356609076BC25147BE31DF4E86EC5B430B0D0ADB2F34473A88E26233A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:38.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBF095B5172B97C77D7E3B9FE1606A6,SHA256=53AAA7432EDBCDEA51D3F5165E1BF08CA960B9D817D412CD330971A49AF90A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007560637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:19.111{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56978-false10.0.1.12-8000- 11241100x80000000000000007560643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=50D673227EF13021CC6B10020E6ABA46,SHA256=BE1C19D35E55B95FB148515BDA27B04473A3E9CA5295CE1087367E6620302817falsetrue 11241100x80000000000000007560641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=841F8B26C48F40DEEE4573061286D2AE,SHA256=69B9863141213EA6A7F733E2EBA64A69D37E89F83A9D0BE4785A8FE0C92F9D3Cfalsetrue 11241100x80000000000000007560639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:39.030{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E327C850D15033C3828671C18C5C02C,SHA256=78FA72ACAD1F646DFB6D342FB8F9D81C313BB71F012C4BA7A2D68CE28724A1B9falsetrue 23542300x80000000000000002132782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:39.205{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDE692967965BA783471C0660A5DC1E,SHA256=7F05E01ED1154067DED82EFDC520D4F940F156FBD5EB21ECD3A493D95904328C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:31.905{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62435-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:40.206{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0732CB59EED9E5A7FCC2C85D745CC5D8,SHA256=A41E9116A9081D44BCFADA4983C66F83E77425DEC3809A78B0C32FC2153392DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:40.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:40.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5BBA868BAA1895ACA0FC8DD56BC0BA,SHA256=64DBE49B1C0ECE5EFBA219736DD37DB2BFF0485C43E0BBA8B4CFDF7EA61ACA67falsetrue 23542300x80000000000000002132784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:40.172{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7CE78612505DAE74AAFD82712CA7B69,SHA256=3705C7BDA2B2D92093D9D33D1C1043212B1E770CA0EF9CEA00CDAB72AFFCEF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:40.171{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC4885FB695C3A7C80B3287868CB1D30,SHA256=EE418F3938AB32D2638F9EDE52F5B19CAA3D4ADA7F15824E1903CA61A31AE31E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:41.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:41.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1E6D3DEFB378D8D00D9B19350593B9,SHA256=22A2110A13183A267B50E14C8EC4B87E5F1F84DB459632F66CB3DD6DA3956A13falsetrue 23542300x80000000000000002132787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:41.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93832542B3A5BF0493EE10713682CFF,SHA256=FFAC68FBDEBC517A8A6DEE3A1891DBD4EA437D8802969AA88392173B3FD150FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:42.210{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B48549096194E863459413737178BB,SHA256=C7E508763707B57D995DEA2338BDEF10217963D78603AD79957B41DF59D20991,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007560651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:42.903{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007560650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:42.903{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007560649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:42.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:42.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B23E46F3A6816B25C9AE13384D835B,SHA256=C692CAAF8AE253CCC9EA3A8A40A00C700A41E236ACEFCA15AE9A85399181EB5Ffalsetrue 23542300x80000000000000002132789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:43.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3501722D0FE03E71367A178BE15E84,SHA256=13AAD58644DC6BD59841471B14A5D0862699834D7B9ADEE5BBAACA354D169822,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007560714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007560713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007560712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007560711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007560709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007560707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007560706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007560705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.953{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007560704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007560703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007560702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007560701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007560700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007560699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007560698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007560697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007560696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007560695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007560692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007560690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007560677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007560672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.938{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.914{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007560669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5741EC2C1B39B289293CC29A44DD688B,SHA256=D5A1F7026D5E5B7E17A316D3079EB81063ACB4BFC3FD453E98A46537D72E7C7Afalsetrue 18141800x80000000000000007560667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:43.906{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007560661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.906{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1857AFD3D463A6623F4857FA4BDD586C,SHA256=1378C24F0C872E35DE565B304A4E5A5CDC67C4968BF5B2D6E8E4F4D39AF00690falsetrue 11241100x80000000000000007560659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4EB77502CA1A26DE105143A674849C,SHA256=B2A7B6BC9D80FB7A54763E1020E69F602CA4297664D41805DE3226F18479A528falsetrue 11241100x80000000000000007560657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F9F82ECE031B9022CAA23DA5D0669C6,SHA256=84C9BB521B6617806B1FB5ABE14F50EEC0ED04AFB2058D1145BC918349EE2A16falsetrue 11241100x80000000000000007560655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40374960282B181270CF1D2746919924,SHA256=C46784C6B76B9FCA21761CABB402D41C4533A08E43ED78B8AE431BE71CF1FE37falsetrue 11241100x80000000000000007560653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007560652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:43.039{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA666946BF4FB531DB17CBB40D063CC8,SHA256=7104BE494E4C99EB354AC4AC116BA11C638462CE4F5698129A124C391FAFD388falsetrue 23542300x80000000000000002132790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:44.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5FF8349E5D7D42B94DA9E9324D3B0A,SHA256=C2E5DDD73C31F8402E83454684F5D0817117899EEF116163E0C93CBC926ECDCB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007560787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.752{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007560786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.752{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007560785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.752{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007560784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.752{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007560783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007560782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007560781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007560780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007560779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007560778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007560777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007560776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007560775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007560774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007560773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007560772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007560771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007560770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007560769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007560768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007560767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007560766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007560765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007560764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007560755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.621{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007560752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007560750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007560748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007560746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007560745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007560744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007560741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007560736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.605{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.600{4DF467A6-9284-613B-A722-01000000F001}7812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007560733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:44.599{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000007560727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:44.521{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a667-0x5990b3cf) 11241100x80000000000000007560726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4EB77502CA1A26DE105143A674849C,SHA256=B2A7B6BC9D80FB7A54763E1020E69F602CA4297664D41805DE3226F18479A528falsetrue 11241100x80000000000000007560724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DD3D7F03C0BE4117F4204FFE0B33C3,SHA256=8D69C46619E9BAFC6D6031488748281E90AD997799AD95C961BC8C85F0758AC1falsetrue 354300x80000000000000007560722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:25.764{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56980-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007560721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:25.764{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56980-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007560720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:25.088{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56979-false10.0.1.12-8000- 534500x80000000000000007560719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.069{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.069{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007560717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.069{4DF467A6-9283-613B-A622-01000000F001}75365196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.069{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007560715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:44.069{4DF467A6-9283-613B-A622-01000000F001}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000002132793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:36.913{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62436-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:45.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7205B50F58F983390922BAAAAAD66014,SHA256=4B43710E07077B8345A55DF05AE8A9145C0773092A133B48513F6FCAB9A6C129,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000007560894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.998{4DF467A6-9285-613B-A922-01000000F001}908\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007560893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.998{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007560892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.997{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007560891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.997{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007560890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.997{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007560889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007560888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007560887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007560885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007560884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007560875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007560873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007560872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007560871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007560869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007560866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007560865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007560862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007560861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007560856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.981{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.966{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007560853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.966{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007560847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.619{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F7168EF29BC06C6E384FA2F75C7FAE,SHA256=EB536D70F68676427D76D32623175C7139114D06DE074E901CDF229A93AE5AE5falsetrue 11241100x80000000000000007560845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D74BC001123E64D12015AFF63C4FFF,SHA256=7D45E35BB9CC478AE86E4E8C0C986CC33880C13C0AE36D7ED3BB2A4BB33921BBfalsetrue 534500x80000000000000007560843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.451{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.451{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007560841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.451{4DF467A6-9285-613B-A822-01000000F001}40927140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.451{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007560839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.451{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007560838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007560837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007560836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007560835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007560833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007560832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007560831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007560830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007560829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007560828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007560827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007560826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007560825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007560824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007560823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007560822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007560820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007560819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007560818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007560815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.320{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007560814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007560801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007560796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.304{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.299{4DF467A6-9285-613B-A822-01000000F001}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007560793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:45.298{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002132791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:45.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7CE78612505DAE74AAFD82712CA7B69,SHA256=3705C7BDA2B2D92093D9D33D1C1043212B1E770CA0EF9CEA00CDAB72AFFCEF9D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007560967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007560966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.980{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82BC14966C1044271CAAB10AB30A8E90,SHA256=743758F3CFA654D9BE51463424FA882C28F212C01D96494913FC8610061F856Cfalsetrue 11241100x80000000000000007560965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.865{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007560964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.865{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000007560963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.818{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007560962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.818{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007560961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.818{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007560960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.818{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007560959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.698{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007560958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.698{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007560957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.697{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007560956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:46.697{4DF467A6-9286-613B-AA22-01000000F001}5620\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007560955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.696{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007560954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007560953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007560952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007560951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007560950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007560949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007560948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007560947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007560946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007560945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007560944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007560943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007560942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007560941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007560939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007560938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007560935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007560922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007560921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007560916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.681{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.666{4DF467A6-9286-613B-AA22-01000000F001}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007560913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:46.665{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007560907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9769D4655A134859371F558163199888,SHA256=74E6F67D4BEEE7B9658A6395418C8BF8EB4AB8F5C65990333CE4A2018233E1A0falsetrue 23542300x80000000000000002132794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:46.216{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839C694C191CFD89161225A25531CC73,SHA256=5127A1D156BB2C70E52800517E9F34351093661C98AF15E3047E934FA8E2A21B,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007560905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.119{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007560904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.119{4DF467A6-9285-613B-A922-01000000F001}9084756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.119{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007560902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.119{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007560901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007560900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E78792FAF4CDE7F30292B5B9B853D8,SHA256=B003DAF4635BE1046E0113DF47568484EDB18A271135DBC99BFD9A8340C623F9falsetrue 734700x80000000000000007560899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.001{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007560898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.000{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007560897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:46.000{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007560896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:45.999{4DF467A6-9285-613B-A922-01000000F001}908\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007560895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:45.999{4DF467A6-9285-613B-A922-01000000F001}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 11241100x80000000000000007561028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26401B49E96BC035F089EC291FA24BEA,SHA256=8B3A3951918D84AEC40445C012724F49D8F51455C5A2AFFBD03C5DEBEC2C15F9falsetrue 11241100x80000000000000007561026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659261C3744FE71880139D11DA64FE3A,SHA256=BAB4B5A16E1085C6DFD6B347DB0FE05B67A14CBCFD4640FA1E2D140BDBF2913Dfalsetrue 534500x80000000000000007561024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.501{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.501{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007561022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.501{4DF467A6-9287-613B-AB22-01000000F001}70363720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.501{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.501{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002132795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:47.219{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B09FAB67598F7884E0887AC90CB2643,SHA256=00A3D112B815F83B133AC01BE4D9492B7178BB7C9D4392B3B309636910E3823A,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007561019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.380{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.380{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.380{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:47.380{4DF467A6-9287-613B-AB22-01000000F001}7036\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.380{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007560999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007560998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007560997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007560996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007560995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007560994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007560993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007560992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007560991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007560990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007560989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007560988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007560987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007560986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007560985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007560984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007560983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007560982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007560981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007560980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007560979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007560978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007560977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007560976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007560975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.364{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007560974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:47.349{4DF467A6-9287-613B-AB22-01000000F001}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007560973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007560969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007560968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:47.348{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.977{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=136322DB059BA357111270F518576FCB,SHA256=6C5EE349A46F644BC8A57780E247E242A09EDF9712FA0A3FB99CCEE5164A8BA2falsetrue 11241100x80000000000000007561093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEFD1E1753C817342129487D142CE34E,SHA256=B363BCC76DDC186B72F0A73E67A0872889AE59954083629722C79D1D31AE9160falsetrue 11241100x80000000000000007561091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.615{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C99992740ABC120A10076CE78CF4D1,SHA256=DFBDA0251507D4FC5C8E7EC5238EF6C723A8D7D92C626497321D7BB257F62D79falsetrue 23542300x80000000000000002132796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:48.221{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3878521C4E89D555C2E1D2AC24C7C3C0,SHA256=45FBB9C515220415679410982D14D340A209B109F792B99950C403899EA598F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.354{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=313976CFB8B333DC8F63873B4BAABD2C,SHA256=2B9B1091A3F7DC9D9247D0496C211A58CAF53C7C4AF07A66959BCB020BC643F2falsetrue 354300x80000000000000007561087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:29.726{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56981-false10.0.1.12-8089- 534500x80000000000000007561086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.163{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.163{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007561084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.163{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.163{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007561082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.031{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007561065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007561048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007561044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007561039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.016{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.005{4DF467A6-9288-613B-AC22-01000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:14:48.000{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.000{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.000{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B3A8E06C873CDCCA37489033C8AAD64,SHA256=8758691FB1716BC1B7B5B4F63680B4F972BA2665B728E953E055EAE4C29E081Ffalsetrue 11241100x80000000000000007561098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.645{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF496A9FB4EF631AA484D7DCCDDDA5C,SHA256=0315F6988AEE3CAE25D72D2D73D600B84EB4F78FB7414B82364CA640DF0FB52Efalsetrue 23542300x80000000000000002132797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:49.221{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFB2DB8823D4C1A50A77A6882F47C8B,SHA256=DE595B8C61214ABD75A7AC40895EBD24C75D5D820F2A602C560D3E24F7987D3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:31.055{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56982-false10.0.1.12-8000- 11241100x80000000000000007561100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:50.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:50.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21C322C13558F50F818096A46568674,SHA256=BEBBAF4108AE59D7F57EF2BB3D729AFFF3E741FE537E4EC690FEFC0F7D6B9B0Cfalsetrue 23542300x80000000000000002132800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F358D7A8666EAB80563D81F47BA9A5,SHA256=479EE7FC1A3031C96CA9E12B671428F29320655402A23FC14511B6A1AE010BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8CF9EB30DF4DFAE320FBBABA9BDF56,SHA256=50BEAB3C24ECD621D6930BB97C3867F6B2DB56BB6DC6F3827F3CF8D21C2C32B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:50.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F1E0873FEBFEAF08E5DE3AE8CBB6E0,SHA256=BDEA9A6B9AA9E5948798A7D1A45C6779EE148D61EAFBE4FFB62B4B0418B4ACE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:51.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:51.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D2FB1C6AEC35D4E705C8F216739FEB,SHA256=C563A98DBA2EFD374470B5759952BE9DE8FF463CE017DDB957E8E2758FD5D35Bfalsetrue 354300x80000000000000002132802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:41.953{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62437-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:51.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06246512C9BAB6AAC16FEEA172FED6BE,SHA256=B9CA08FB87E0F21173EFA060052B9351BA93143F37F239077C0BE4043BE8B789,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:52.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:52.992{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3EC08385C66552B60B61811CAAAFEACF,SHA256=5F44E339186670EBB7528BDC85C4740C958264F7D650526BE585BD1005E8E127falsetrue 11241100x80000000000000007561104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:52.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A3329EFABAC5C84867604FC5D0688A,SHA256=D796B03D0238CF92866623552DE599EFDAA6431129015AFEBED452030B616CBDfalsetrue 23542300x80000000000000002132803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:52.227{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB2A9080E4C5DA607B760083EAB7B8D,SHA256=F8681EE5FFE7C575557D509ADF3173CA590E24D2B761731F9B92E2779AD54CC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:53.788{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:53.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983BF143BD2DCA8E3C021460C8F4AC7C,SHA256=7E50BF1F201690619EEF8142E59576EEAB61A6CF8349958042C36E5F3373F3B7falsetrue 23542300x80000000000000002132804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:53.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC26BDF777C10E7B77A4E2E7CD269E4C,SHA256=B53026D3F038A2835EC0E242B580BB54A74A46336EA3503C516DEEEA13EF846B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE572863ED0E70F9EAD33BFBC8FC35AC,SHA256=8B0F469AEFC93A48226C637C6E9509AB43CC0B9BB89AD4B21BA97BB31D052B59falsetrue 10341000x80000000000000002132818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-928E-613B-C31B-01000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-928E-613B-C31B-01000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.578{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-928E-613B-C31B-01000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.563{AEE49BD1-928E-613B-C31B-01000000F101}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:54.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA383B78989EADE00E2CB796DAE927FE,SHA256=B25B1264C192BB17D0C0DB7115248E8F34F8E8BBB2034BE4B53DC633B248D485,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.137{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F32206174D8FEF91018D131DDB4064B2,SHA256=3EE584266EA1C64CB4FB354212087F28405855A53F3F45DBBBE121709D29FBC0falsetrue 11241100x80000000000000007561110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:54.121{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E89D8880732FC6E884DFC51A16EF7D34,SHA256=2BD2A44114BD25945B3213A4EC703C3A5C87F5DFDC03B0A7D5C7547F80D763B7falsetrue 11241100x80000000000000007561121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2B47FC238D206A79014BE00FBE9C5,SHA256=A5CD831CA38C65CDFAEE14EA61564769DDAA2B881E024091D152203489950F6Afalsetrue 10341000x80000000000000002132848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-928F-613B-C51B-01000000F101}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-928F-613B-C51B-01000000F101}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.879{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-928F-613B-C51B-01000000F101}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.864{AEE49BD1-928F-613B-C51B-01000000F101}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.801{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D123AA883D89BAF7F859ED83EDB4CCCF,SHA256=42D7FD57C3460F320B2463CA7823EA7407224BA072DC25EDA23B3FF1F892C4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.801{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F358D7A8666EAB80563D81F47BA9A5,SHA256=479EE7FC1A3031C96CA9E12B671428F29320655402A23FC14511B6A1AE010BC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.396{AEE49BD1-928F-613B-C41B-01000000F101}16405516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-928F-613B-C41B-01000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-928F-613B-C41B-01000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.263{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-928F-613B-C41B-01000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.248{AEE49BD1-928F-613B-C41B-01000000F101}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:55.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0414857ACC86B4922A03AE46DAC3A7,SHA256=D359D0FD04F0AB9CC90C22CCAE105E869D136AED1DF12C25CE513BFD1C4B7FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:36.982{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56983-false10.0.1.12-8000- 11241100x80000000000000007561118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1624EEE17A7386594E94C11D3FE032BA,SHA256=370599ACC45D6F4C6561B1407DBB02A98A642569230F34822C7343C5C42489C4falsetrue 11241100x80000000000000007561116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:55.135{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B422BC648525E0CAEAEBA98CB6975DD,SHA256=8ECAD1B6844EDF5AB257841A9D60336883C5E57F81205A190F298C6A6BEC058Efalsetrue 11241100x80000000000000007561123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:56.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:56.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC82E9A9422C71D5D77846EA3FD21E5A,SHA256=624B935C17173ADC52C1E4D45FDD3A73703B7607BD7030858F47CC81E568507Afalsetrue 23542300x80000000000000002132851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:56.880{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D123AA883D89BAF7F859ED83EDB4CCCF,SHA256=42D7FD57C3460F320B2463CA7823EA7407224BA072DC25EDA23B3FF1F892C4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:47.832{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62438-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:56.464{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5601ABFAC2E106DF65B617ADB175FD8B,SHA256=98A0E975694A6BFD63420EF6F0DA8EE08107B19043F3E426671BFF2B7A0B408F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.915{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.915{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0EDA1C14FD563B1B1831E8271C0790,SHA256=04A9A34E2658D962839C6F39F3CCF2435DF10FCFB7B573C4E374B09454473665falsetrue 23542300x80000000000000002132852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:57.481{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD82430725C323CE5A4D602B89DC5C0B,SHA256=8FAD46530A752003F991415DD07A20A04E17E3DFB246BD72BAAE3A02FE95C6AB,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000007561128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.201{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=F8D30C069DA399FF994F8F4C12DBE796,SHA256=0BDB377DB21BC122437A2D4633EE675D98A946A2404E8E13BDE3421FC1D80FEFtrue 10341000x80000000000000007561127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.201{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.201{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007561125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.201{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-F8D30C069DA399FF994F8F4C12DBE7960BDB377DB21BC122437A2D4633EE675D98A946A2404E8E13BDE3421FC1D80FEF2021-09-10 17:14:57.201 10341000x80000000000000007561124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:57.201{4DF467A6-3F58-6132-2B00-00000000F001}29483972C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:58.483{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006D6E2E6DBE46065EA8B144C56DE84C,SHA256=06E1DE5DB2BF8E27BD059B8C08E21A6C73829CDB09DC27EB411C1D90489BD5D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:58.561{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000007561133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:58.561{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=24B242074CB48DDEEC15CE9A850D5378,SHA256=59A7520E6E9F87F972B8B2CBED1DFAC403997DC51E159C88C60EA53EC18963BAfalsetrue 11241100x80000000000000007561132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:58.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:58.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F12EBAF9C50F25D23F51F78DDF653C5,SHA256=AD59147C188F015B4D318C5C011959C76367FC589B00974761FB181CDCAA2C25falsetrue 23542300x80000000000000002132854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:59.485{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AABCE4D1C1D8C30B70E30B9C4397F0D,SHA256=F0C55CEEBE41BD2F2C9F9BF0B20B5883E824DB7114BA1576E72D0D58AF8FC2FA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007561157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000007561156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000007561155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007561154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007561153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000007561152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000007561151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000007561150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000007561149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000007561148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000007561147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000007561146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000007561145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000007561144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:14:59.958{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000007561143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.477{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:14:59.476 23542300x80000000000000007561142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.477{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000007561141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.476{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\prefs-1.js2021-09-10 17:14:59.476 11241100x80000000000000007561140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62D0725B20BC4525CCBEE632A8B123D1,SHA256=1223540A41B0D5C171D436E15F1CF8CB4C317C31668A10C60EF747E6855A4C20falsetrue 11241100x80000000000000007561138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D868D50D93912F3AD0E0709196B9437,SHA256=4C8E7AAF55593CB7A37D34240EBD0AB09B79F39C73DCCB83E274F203C76A8731falsetrue 11241100x80000000000000007561136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:59.260{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07482A465C2114313517A9A2A541A63E,SHA256=1C9FC8043895898F9DB03642B2B08A3AF362D348F6C6E3B7FFABF2D500FA5C2Cfalsetrue 23542300x80000000000000002132855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:00.487{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42979BDA90E4A30C615A440E7D0C37E,SHA256=18105BAC21AF74C5210BCD5E72357864F160F4431F542812446E935CB0E9DA3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:42.058{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56984-false10.0.1.12-8000- 11241100x80000000000000007561163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75EEEB16469A5F52D879710E412B92A,SHA256=96D9D4F23F0B127F87CBC67CB4DE25F5B5034CED7B7F202707254C7C669A93ACfalsetrue 11241100x80000000000000007561161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059522319C330DEA891C0568C8B7448D,SHA256=36AC9C99F88EB58CDC19CD103448DACF9DD31EEB6D05A0766723B141C8C605E5falsetrue 11241100x80000000000000007561159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:00.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1624EEE17A7386594E94C11D3FE032BA,SHA256=370599ACC45D6F4C6561B1407DBB02A98A642569230F34822C7343C5C42489C4falsetrue 354300x80000000000000002132858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:52.972{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62439-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:01.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD90447F75AE11DFE4AF1B89FCF4CE3D,SHA256=9B55EC7A3634689208469DE96A4E6996102306A4C8ED0880608197E49C805188,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:01.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:01.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259264DE31E440880F1F931E10F63F1B,SHA256=853AB528F7E47E429EBBB6F57B6FBCA379D17D8AAABBA8D2C6408B78550E0678falsetrue 23542300x80000000000000002132856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:01.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13DF88850665F5FC2A5C9949C67CE72D,SHA256=79F9E9E6286DFDCD47A5A0A2C44D2615FBE0855A21B25FFD7C88836D243C99FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:02.491{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336B2898ADF5509BABAC8B0A292A2415,SHA256=5D6070FEE7CF4EDFD1C1A55301489395358C225B1A7818666E6DE81C2597C66F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:02.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:02.307{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD2FC9D4243300B17D67261C5754433,SHA256=9D15EB5EBBA3354335EEC6419E8C51A14F8EC0A4C68EC28D5DB9946DBF523998falsetrue 23542300x80000000000000002132860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:03.493{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E94591BF3B8581465B9C55FA41EF3E,SHA256=7B429A07EE2CEEC43DD09C92EFCF37C15BBFA048AAA56C405021341F362753AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=019043D20CEA39A100265DA8458BD7BD,SHA256=9F310106A397BF9150855F73E2948AD325F12A75353CDD24D27552BD141090FAfalsetrue 11241100x80000000000000007561184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=F48A6A2C2C2AEF57BF183DEB4BD9945C,SHA256=01BB82E30A6D9AC02FFF2156A81EFED82B0027B4B4252DFEF613804F1E08C331falsetrue 11241100x80000000000000007561182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=69D5E2DA33B4E01DD0A6F0B5C8117A4F,SHA256=74216CE0E4456B1B5779144473FFD53C76F65252716CCA34680944EB74DF3E45falsetrue 11241100x80000000000000007561180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=E230213857111D83EC831316AF1BC2DE,SHA256=0C2FB8E67A6C412024DC3DC2C0EAAA06BC8DEC908009510EA89D1E6EEC769765falsetrue 11241100x80000000000000007561178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=B59123032A1458EF0C751E6EC32C5CCA,SHA256=F5C71B025292BCFBFBE2D68014F3620306FA9AE9BC57AAB0717B4B6CACE53EF7falsetrue 11241100x80000000000000007561176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=14800B8F336A45455C9D107BF35BBBCD,SHA256=2BA613DDB765E3DF07B46348E813B6A9FC0E7663CB0C815B294FD15A36CE6712falsetrue 11241100x80000000000000007561174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.621{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=DA8609666B5CA864B28BCAFF4E0E03A0,SHA256=F0C38BA5AF8D262EC52CA1C5715979255771DD97FBAF48387462A09617968F93falsetrue 11241100x80000000000000007561172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B622313D00FB5D04DBD1A244E5E20F,SHA256=3BD8ABA049BAFF20E5898C6DFDAB901BF075286576347BE98DF8988503A2CBACfalsetrue 11241100x80000000000000007561170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:03.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED5177FD09E582AF14241CDF207B9280,SHA256=40EBEE77B1113205A58284DB5C03B68DFFCD2FD2B3EA45FB9712F4B1B8EB96CFfalsetrue 11241100x80000000000000007561192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203BB728C8382B650A725467C08B16D1,SHA256=9BE3C1B5C35F7CA7E3372A6C08EDEF01136852F757D5C694A9724909761A5BD4falsetrue 23542300x80000000000000002132861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:04.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A9067EDD31E7FEF3E16BB45DC8127,SHA256=2218F61BC0CA869D5F8C1F281DEC9FA384BC15C12518A7DAD7123FBE55B06CD3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.371{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.370{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059522319C330DEA891C0568C8B7448D,SHA256=36AC9C99F88EB58CDC19CD103448DACF9DD31EEB6D05A0766723B141C8C605E5falsetrue 11241100x80000000000000007561188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D26FF98E30B0B8184125D33A9DAA571,SHA256=3B79C1F46275A00E79DC16A7BDB6E49BDA8469C4629C05AB08E14DB4322D2C3Afalsetrue 23542300x80000000000000002132862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:05.496{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B9D527A9F6EBD4A5E90EEE388AB807,SHA256=8494F6CC3119876CA0889CAEA00561AD0235EBAB4A8975DFA6765D0C3E4433BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:05.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:05.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617442A33488D85996C117EF9E4E0EB2,SHA256=35A19C03D0D75275EADC7F27EB1D39367C398D9A60F81B89D9CA91D29389F6D4falsetrue 23542300x80000000000000002132863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:06.497{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A3D938A0D225C9E4D0797E1EADBEB9,SHA256=85C2BBD3AFE23ED192BD6108AA47323D7104F9918EAEDAE71D84B9F6ED0B440D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007561236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 13241300x80000000000000007561235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000007561234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000007561233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000007561232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000007561231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a667) 13241300x80000000000000007561230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x66aa860c) 13241300x80000000000000007561229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a667) 13241300x80000000000000007561228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x6698e7e8) 12241200x80000000000000007561227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000007561226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000007561225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000007561224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000007561223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000007561222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000007561221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000007561220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000007561219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000007561218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000007561217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000007561216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000007561215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000007561214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000007561213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000007561212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.501{4DF467A6-3F46-6132-0B00-00000000F001}6367104C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000007561211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000007561210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.501{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 11241100x80000000000000007561209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C53EFDE0B8F54DD67B866F3BBAF3D38,SHA256=CC31B8B23194B87E093CE08BF2358BF289BA0E41711F4A1FBDF8F6C8859D70B1falsetrue 12241200x80000000000000007561207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000007561206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000007561205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007561204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000007561203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000007561202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000007561201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000007561200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000007561199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007561198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000007561197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:06.385{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x80000000000000007561196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:06.168{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DCF8E2C7246F9BFB77C501F8402078,SHA256=CE87197C539B186C96BC6471EB2CDF5D16D2E63F97A92AC7CDF39CF7E565CACFfalsetrue 10341000x80000000000000002132880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-929B-613B-C61B-01000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-929B-613B-C61B-01000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.967{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-929B-613B-C61B-01000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.952{AEE49BD1-929B-613B-C61B-01000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002132867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:14:58.997{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62440-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.498{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BBDE5F62B18EDD37003E99A2A44F4A,SHA256=F9DC9ED8052C198D596D9E113450E9C09512EB13F5B53157D75E5C173B909A87,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:07.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:07.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE123D8C66622236258E9DA859D58A3A,SHA256=984CB8AB9CBBBBCBD7DD828A878C6AC4372AEED2F612DD8A4529F4A05BB4B096falsetrue 23542300x80000000000000002132865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.251{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=152045400E9D8804387A7165593C5D34,SHA256=17EEADF41CB882705E67AAD33F3A15DF5DACD0DB0BFA0197AD46A2324339A1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:07.251{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B171E525B9C45275BAFA77C21BFCCD9,SHA256=558E2FE7FA0FF4C21696EC8FEFF82444E95DE1A0914A14524928668080B59BD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.255{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local56987-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000007561242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.255{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56987-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000007561241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.249{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56986-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000007561240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.249{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56986-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000007561239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:07.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:07.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6049F0D8124F89F2A37BC19FD6CE980,SHA256=BF495A56B5F3537DD8639357DA55B61F4E766C6A2578D59C06A028EDEA483204falsetrue 354300x80000000000000007561237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:48.011{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56985-false10.0.1.12-8000- 23542300x80000000000000002132897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.967{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=152045400E9D8804387A7165593C5D34,SHA256=17EEADF41CB882705E67AAD33F3A15DF5DACD0DB0BFA0197AD46A2324339A1DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.798{AEE49BD1-929C-613B-C71B-01000000F101}51085544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-929C-613B-C71B-01000000F101}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-929C-613B-C71B-01000000F101}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.667{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-929C-613B-C71B-01000000F101}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.652{AEE49BD1-929C-613B-C71B-01000000F101}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC94A60093AFF799D26B1727E10AB54,SHA256=CA10C7901B776036F71D51A4632DFEE4E496BBD803FA60AE1F94BDF23623882B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=0458B22B93A538D37B4436AD051AEA94,SHA256=1E0AACE7272F11A946E68CED9164E910BEBA7178144225AF32DADE8E4E3E7230falsetrue 11241100x80000000000000007561261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=004F16BDD5E2BE4493CF20B975934504,SHA256=C7A66775019E1718C6E21FC5371E2CD0DCBFA0B8E57D3371832D0249B320775Ffalsetrue 11241100x80000000000000007561259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=CAAD7DD0BB24512B6D688BDCD1278040,SHA256=A3ED2EDD31B4D644F30EDD9D03C261FAB57CC39D1B66052DBADCED0E2FB518E8falsetrue 11241100x80000000000000007561257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=E089C4B820F0B12852E0710FCC464420,SHA256=F2E6BB42553610E1EE5A681A80103A910C26083D940677FE1B14B16DCDDCB84Efalsetrue 11241100x80000000000000007561255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=1907702B98462A7ADDCC3DA12ACBC3DF,SHA256=652CC4BAC01D508D1939819E3797D0CBDF3899BE40BB4839C492A242103A5470falsetrue 11241100x80000000000000007561253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.644{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=9491E60E0FB8C9077CC62D4676C18D0B,SHA256=983BB95D6653C1C861852EB36AD633EAAF652B5194B805F0AFACFC17AC7ECC04falsetrue 11241100x80000000000000007561251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D68FF2AB00CD7D3272AF87AF321A0EB,SHA256=CE2B29F0ADA8138E2B3E37CF4BF812268AAD720DF853179EDE914A3F63A216B6falsetrue 10341000x80000000000000002132881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:08.082{AEE49BD1-929B-613B-C61B-01000000F101}325876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007561249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.365{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56988-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000007561248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:49.365{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local56988-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000007561247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:08.167{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F9E0E2A57A9B5E6794D78DDBABB68BB,SHA256=7F791E1BF279CC559375AED1B4F0864ED91D1F6E9C1CB4A643F5E5186B550406falsetrue 11241100x80000000000000007561271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.596{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FD70D9B4BAB7775379557B8E00FD5C,SHA256=98BCCF3FB145F9E49095BD7A5AC157E1D82090258E936E5F512EBD46C7357019falsetrue 23542300x80000000000000002132912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.635{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE227C847FF87C42A22CBEFCE2C8AF24,SHA256=87BE6B2580E0DDC0FAEE6D322A25EF385A32C9679F3B72F7B21D90116555E5EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.482{AEE49BD1-929D-613B-C81B-01000000F101}51683932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-929D-613B-C81B-01000000F101}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-929D-613B-C81B-01000000F101}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.367{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-929D-613B-C81B-01000000F101}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:09.352{AEE49BD1-929D-613B-C81B-01000000F101}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007561269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.361{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812D66B8F27808A951F4D972893168E3,SHA256=DD94251996B01EF547872C9390BD94DB46DC48DCDF4C1CDF0CC593388892A0FCfalsetrue 11241100x80000000000000007561267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E81A22CCBD3590E8705FF71C8955B1E1,SHA256=03F63AAD604BB1ABA9AD0B38D9DE8599D3FD2EC5F0A45FECC7318129000F0501falsetrue 11241100x80000000000000007561265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F52DC090B9189D2D90EF47C69D51C073,SHA256=5BE3BB7320DC8AAF24D10B4EDA244F03B4EF00734DEF820907DA5FBFD17A2BA2falsetrue 11241100x80000000000000007561273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:10.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:10.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B0FF1FFBBE570C8AA02FA6E48218F1,SHA256=A1AC74A7F4296BD2E763D5ECDD4A5A5F65D4384F4ADA4FBDC9362D793F00DD46falsetrue 23542300x80000000000000002132914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:10.652{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432E0CE13E4D5E22311FC4E80A65987C,SHA256=BF3030A26FA71D5A79C020EB45C48F7E59222293D7B7B04E2CC741677F84D2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:10.452{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B844A34E802D9C39215934C5CED2CC7,SHA256=D51F72FE67798B9365A7AEAC809F7BA3DE89F146E94603B16F4F6F7A8DA4BFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:11.738{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:11.654{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A100FED5D2F5177B2B42A96DA6F623A0,SHA256=FAF5DB4100D4CDE35B60FB58F536FD4B472A1BC045725C7D8782606C4EE74883,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:11.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:11.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B0312E66C07C9BBA02FED33E0B9F1B,SHA256=921676428029F8952001DEDC32E211F2323494EDFFCD49047F2A344E3540692Bfalsetrue 23542300x80000000000000002132918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:12.756{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52AEACFD58559D7A16D5BE9413A9E7C,SHA256=80B41C79E2B66427CDDCEB791B433D31CBBF401FE206A39F08616A05892828C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:12.671{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A72F021BCD35F97303F1C37064B6E66,SHA256=CE7B9DE9C833342529252327A0D665AB4A4DFBEA805016A1D600687F58C6A6CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:12.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:12.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEC7DDFABADCC39FC8D27581A23A8A1,SHA256=709E135FAE8771505D8EB76A009E225335018ADA6A3BA40D6EF5F4E5CF978BBFfalsetrue 11241100x80000000000000007561277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:12.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:12.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6B16820AAD63C620A1B4EB69E0AC38,SHA256=53003664F1804E5C14580A2B09CEADD278BD16BB80674CA6BAD9584F6496C2BDfalsetrue 11241100x80000000000000007561284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:13.705{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:13.705{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320163BBB020740F61A3CAAA1C483FB8,SHA256=B071BCC0BE656769FFF6B6B90587AD49A71ADF506E4CB007BD562FF214E3022Cfalsetrue 354300x80000000000000002132921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:04.923{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62442-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002132920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:04.523{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62441-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000002132919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:13.673{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBFA824ECB4D40C148935D51B575587,SHA256=7254E221A21669FC97068819FC82F1C9E5AE0D8727C2017EEB4A49AD71CB4734,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:53.970{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56989-false10.0.1.12-8000- 11241100x80000000000000007561281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:13.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:13.159{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD224EF2397ACA1DB06E9106864E12F3,SHA256=D803055C17C467D93C06D2D48FD52877AB4C1B69811B1B95A69A63A84994C648falsetrue 11241100x80000000000000007561290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.719{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FB940F221ADF4A2A8B8772FE91E2B,SHA256=05912C340184D4E691F4C29041CDAD3EF5CD286C534B14FACBC6814F139325DFfalsetrue 23542300x80000000000000002132922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:14.723{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F823D5DEB4CAB343FA99AEAA2ABCBA,SHA256=B42DAE044FFC885A642784A8FD98531674D5C9B9560C63DF9D4CABFB6FF84081,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.120{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C880E3F0D85C3D0BB5A0CFFACF708064,SHA256=73E16EC79F45B4EC7C0CC2DD5482608CD42604142566701408EE36276C4B8777falsetrue 11241100x80000000000000007561286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:14.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=689DF74775E001AD003848251181B444,SHA256=F52490562612886993725E8FA3EDB5A242576CA4E9C752EFF76628B6DB9BD599falsetrue 11241100x80000000000000007561296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C507C052143122CE43721981A7455D,SHA256=C29649305C1D9B483D5454220FB1909607B444330FAF24CDA62BF846CEEC1637falsetrue 23542300x80000000000000002132923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:15.726{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39AAC80CFF117525E3532703FD6454,SHA256=0E264D496B1D1382A4FC9A184898FF5B3B45D0DCD0B1DFE59113304D6E1CC1E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007561294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.349{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-0F00-00000000F001}308C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.302{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.302{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.302{4DF467A6-3F47-6132-0C00-00000000F001}8365996C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.868{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.868{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-D465-6138-7BCD-00000000F001}976C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.868{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.868{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007561298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:16.769{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83488C43CD9FE277FFC396A92C0E6605,SHA256=0A4882B4AB1B772AD0437D8863FCAAE45D2E0625D3A81BF62FC16C7FE51470B6falsetrue 23542300x80000000000000002132924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:16.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F580C2D6FE5F42D5817B6003BA73D2F,SHA256=8DABD56D292E217AF5DCCF78646C7687D713D977C6F6FB247ED155E5018C9056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:17.748{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225FBF73675D6A202D1B269E04BB465F,SHA256=7B51BB690B899FB8DA8F050B1056A432035EF4F374B8E086D08A9D2E350D5592,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.798{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A786F41983E14182490CD058DA76CA61,SHA256=356F57DD3DD76938D25E82AE22B36D467F2EC487E70088203D902BC3390CCD82falsetrue 11241100x80000000000000007561306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0674BF11B08245A692404C82C96572,SHA256=AC27F1A4533AE69EB8D5C06C8663F79F04A079C33043C4FBA59D42236DD788C7falsetrue 11241100x80000000000000007561304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:17.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9BD2F4F84706DB176D7DB3330D56D3A,SHA256=2C936FE9008834EAED110880A8FCD23B1619E5AD099BA79081A4324BAB1C7F91falsetrue 11241100x80000000000000007561315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.828{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.828{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409356EDBDDB5A7B554ECA98FB78AADC,SHA256=1C88A846093565C75AA40496DA36054273A198267A7EFDD297A646E53146E742falsetrue 23542300x80000000000000002132926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:18.750{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B990C933D778BAFE5C95D12736DA56,SHA256=49A4683D42042D0BA8567F02D123639E9393F702207BEE2A2AA54F48724BCBB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:14:58.977{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56990-false10.0.1.12-8000- 11241100x80000000000000007561312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D761339F55B0388C212C6C660F31B73,SHA256=33A6726BCDBBD02582565EEDCEFA248A35E7C4B63D1E76B4B5D86ABC3EF78A87falsetrue 11241100x80000000000000007561310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:18.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D0674BF11B08245A692404C82C96572,SHA256=AC27F1A4533AE69EB8D5C06C8663F79F04A079C33043C4FBA59D42236DD788C7falsetrue 354300x80000000000000002132943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:10.911{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62443-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.783{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380E00C6EFDAB971D4F3DB67A46852D8,SHA256=9997396853E6E64041A12F192937043068726C3AF31E8BCA017CE1D567324651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007561357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE6-613A-25FA-00000000F001}580C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007561320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.879{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-3EE7-613A-26FA-00000000F001}3968C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007561319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F626CF88071DD232FF281E94BE2D9F5A,SHA256=345C7265268622B311DC7CAFBAA9ADDE9D39F03CFF1A1158AEC4683916663817falsetrue 11241100x80000000000000007561317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:19.211{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4651440DAA271498C3D3C40591D1322A,SHA256=7C321F2DAE4702DDAAC49B66F4F820B5BD9AF8BD8513A8C295EAFEAFACC1A41Efalsetrue 23542300x80000000000000002132941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32B6B461D2EE752F73455AE43B8108B,SHA256=613D5D4CAAFC1979D553E78A4AA502B62E79E95E75553F9FBDFB1612FC00FBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D44E0E294D036087974BC62555EB49E,SHA256=9267FCC612CC8C2FDB0AA30B95764614A0D1301CFCB7E256CA10A92AFDFDAC0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002132939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-92A7-613B-C91B-01000000F101}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-92A7-613B-C91B-01000000F101}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002132928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.082{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-92A7-613B-C91B-01000000F101}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002132927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:19.067{AEE49BD1-92A7-613B-C91B-01000000F101}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002132945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:20.800{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219D6D42DDEE2583F0D5FEB6FEE892E8,SHA256=24EF3E6A28BD893B948761716A0E8EEDA5D2BE4F15D6897AF12144D3F9AE7570,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.593{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\jumpListCache\JmMK42Szdzg7wNmbNv8OlA==.ico2021-09-09 17:14:27.882 23542300x80000000000000007561373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.593{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\jumpListCache\JmMK42Szdzg7wNmbNv8OlA==.icoMD5=9B12E7FE265A163AF1A58514DA1DF5E9,SHA256=C9E1E9CF46DB759F52238CF0C6C15A170A4D65885543B6D5826DC21143D4E6C7falsetrue 13241300x80000000000000007561372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-10 17:15:20.593{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d7a667-0x6f10e6b3) 12241200x80000000000000007561371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:20.593{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000007561370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:20.593{4DF467A6-3EE5-613A-21FA-00000000F001}2428C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 11241100x80000000000000007561369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.593{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\jumpListCache\q43dET7+Zli1jv7_VRI9og==.ico2021-09-09 17:14:27.882 23542300x80000000000000007561368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.593{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\dueu30lv.default-release\jumpListCache\q43dET7+Zli1jv7_VRI9og==.icoMD5=9B12E7FE265A163AF1A58514DA1DF5E9,SHA256=C9E1E9CF46DB759F52238CF0C6C15A170A4D65885543B6D5826DC21143D4E6C7falsetrue 10341000x80000000000000007561367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000007561366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-3EE5-613A-21FA-00000000F001}24287644C:\Windows\explorer.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80343CED8A8)|UNKNOWN(FFFFF69DEB4A5B68)|UNKNOWN(FFFFF69DEB4A5CE7)|UNKNOWN(FFFFF69DEB4A0371)|UNKNOWN(FFFFF69DEB4A1D3A)|UNKNOWN(FFFFF69DEB49FFF6)|UNKNOWN(FFFFF80343A05103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007561365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF246d981c.TMPMD5=9D84A9844F50F830E05319AE1FC4700D,SHA256=1DF0A88684C3A7DDC548DDCE0A82D4D427553273153763D6B2408C185EA84867falsetrue 11241100x80000000000000007561364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF246d981c.TMP2021-09-10 17:15:20.578 254200x80000000000000007561363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNZBZ9IR31R3P1Q0U9MV.temp2021-09-03 20:46:01.0612021-09-10 17:15:20.578 10341000x80000000000000007561362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c28e2b|C:\Program Files\Mozilla Firefox\xul.dll+c21c12|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c08a13|C:\Program Files\Mozilla Firefox\xul.dll+c07c05|C:\Program Files\Mozilla Firefox\xul.dll+c0e52b 11241100x80000000000000007561361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WNZBZ9IR31R3P1Q0U9MV.temp2021-09-10 17:15:20.578 10341000x80000000000000007561360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.578{4DF467A6-4079-613A-86FA-00000000F001}58966692C:\Program Files\Mozilla Firefox\firefox.exe{4DF467A6-407B-613A-87FA-00000000F001}6428C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b8df1|C:\Program Files\Mozilla Firefox\xul.dll+a07df4|C:\Program Files\Mozilla Firefox\xul.dll+ba1071|C:\Program Files\Mozilla Firefox\xul.dll+b7da03|C:\Program Files\Mozilla Firefox\xul.dll+b7dbb7|C:\Program Files\Mozilla Firefox\xul.dll+ba0f8f|C:\Program Files\Mozilla Firefox\xul.dll+c13515|C:\Program Files\Mozilla Firefox\xul.dll+3c2d41|C:\Program Files\Mozilla Firefox\xul.dll+3c28c4|C:\Program Files\Mozilla Firefox\xul.dll+3c2768|C:\Program Files\Mozilla Firefox\xul.dll+c28e2b|C:\Program Files\Mozilla Firefox\xul.dll+c21c12|C:\Program Files\Mozilla Firefox\xul.dll+c27250|C:\Program Files\Mozilla Firefox\xul.dll+c27991|C:\Program Files\Mozilla Firefox\xul.dll+3b5d81|C:\Program Files\Mozilla Firefox\xul.dll+c28749|C:\Program Files\Mozilla Firefox\xul.dll+c2b702|C:\Program Files\Mozilla Firefox\xul.dll+c28166|C:\Program Files\Mozilla Firefox\xul.dll+3b5588|C:\Program Files\Mozilla Firefox\xul.dll+c08a13|C:\Program Files\Mozilla Firefox\xul.dll+c07c05|C:\Program Files\Mozilla Firefox\xul.dll+c0e52b 11241100x80000000000000007561359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398A2433667BD112E3096BC0E19BDE72,SHA256=B823EE21837E884451CDC23775FB220A9CD6B189BEAE289F7AC3FD8714B7742Bfalsetrue 23542300x80000000000000002132944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:20.233{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32B6B461D2EE752F73455AE43B8108B,SHA256=613D5D4CAAFC1979D553E78A4AA502B62E79E95E75553F9FBDFB1612FC00FBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:21.888{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-9923MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:21.802{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE96CBC02B7ABB48BB56AB6035321AFA,SHA256=9557C1124AD15E451737A93D8B40FBBB8835B7D38962969CADB44670C43EC685,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:21.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:21.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A326984A23F2398B194AEA14FA1DECCB,SHA256=F0821D5758612C9F76356C6CDA009C3D0B73869BC7646A4A81979C7F0390EDC1falsetrue 11241100x80000000000000007561376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:21.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:21.392{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E6B106DC08BE66F998020FDC5D4592,SHA256=04E34786933876E6705B307566A22CB2C99DC16C767B65E7CF76F834CCE906F7falsetrue 23542300x80000000000000002132949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:22.886{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-9924MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:22.818{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EA0BD20CBF94501A1F204BC1E9A636,SHA256=218075BA960ADA20911D5CA57AB082CB4598EA9E8DB77E6984E1C7C6B1AEDA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:04.100{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56991-false10.0.1.12-8000- 11241100x80000000000000007561380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:22.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:22.459{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E498DB1B7FD31F74AD5AA1E27167967F,SHA256=8EED7FD8E5C0F0FAB10D419F373301E6AF8762689A98D8E5FE4F46460D3B78A6falsetrue 23542300x80000000000000002132950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:23.819{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654E21BBAB1741F617D8FB062A33A28,SHA256=1FA1F43138E3B2771DD3AFFF24BFEEA125AC83BB1000C7DB4DE29AA2AA5DA1F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:23.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:23.473{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39282E9E33BC54072B4F77DA458DA019,SHA256=23B9407BB8F60D29FB8CE5E5276CC38DB09AA8D1E57567178329DD3FA71A7AE2falsetrue 11241100x80000000000000007561383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:23.373{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:23.373{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAD2645F1DD19CE867B9B3D9AA51B566,SHA256=4662A0C9BAF3A107181B3A6986D8E38E70D4D93B4A432F2B195E1E10C2583B5Ffalsetrue 23542300x80000000000000002132952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:24.838{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D4B70B459F344459D18A240C7D8F86,SHA256=161CDB532E8FCC0F54E7A2D04563AB0785AE14CA9AD4AF6C71C7246478BFE495,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76F1F14104FACE25450377B7C1C5D0CA,SHA256=8E201523A463568CACDF61C89A8A8D1CA7229714A13E00254353B7C6A73AFBF6falsetrue 11241100x80000000000000007561391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13293479CB0CDBABD4F7DB315688B56B,SHA256=3F1D5596A0BCE36D4582F1C0A0CEA21AE6473B9E9FFE252F55266F632DC89390falsetrue 11241100x80000000000000007561389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000007561388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CBE3C039EAEF40F79F2FA4A56684DB,SHA256=FC88264E6CA7BFAEB9D9DCE5452ED506DF2D95137737EBE87530065FC0DB0EA1falsetrue 23542300x80000000000000007561386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:24.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011B04D627C93E69CFEF432884D9F3E9,SHA256=68349E4923201AEF0F644D92D2F2CB34B6C7D91BF9426DC9059C3A7DF094375Dfalsetrue 23542300x80000000000000002132951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:24.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A265D7BDF4D6808237DB3C2360470402,SHA256=2B27A56ABBA080BB9D2594E6EE9104E681FF02884D56C224104B52B9DF0C2308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:25.859{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58F3B84951ECD99EE665B87FFD593A7,SHA256=A3A44DBD52304CDB496A13735D010218751C74FECCB76ABAB61E816DD9AB53C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=4DCC4F9C0715625E5B5C988F11E28786,SHA256=04866D6A82837902EB62B8D4B99E24D9F1AC86AC2B62FB6BCF512988DC662755falsetrue 11241100x80000000000000007561405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=8587D6EDEDCB0A6865C6A9673F4D409B,SHA256=FB11D04FE6BB11F8FF22BAD3D979525FA8B7D6E7F0F6A5D8FC1BD1E08856CD76falsetrue 11241100x80000000000000007561403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=FE0439DD8F1627FD8EA79C2073478357,SHA256=9851A95AE5F612D29750FF5EE3EDA5DC6FA060E63ED09B7FEB1E0895CF746624falsetrue 11241100x80000000000000007561401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=0E517600F314B0F3C337944BFAD734B8,SHA256=86230FC6B7F93E5E13BF4039F213315AA0E7CC9AD8EF83D60B16A86BC972B0B3falsetrue 11241100x80000000000000007561399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=AEA8D5EE2DD19620E9D4E4AD24AB778A,SHA256=2181D85B838E3846E5665B16B8F506D6399A22EEF5141D5CA77B60C82D819C75falsetrue 11241100x80000000000000007561397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.816{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=3B643FE41ADCEC4F625E83BA5C3584D8,SHA256=DEBA71C6AFA565EBBEDE0FAC1B88E245F5E516FEBD0F5BB4D602F45E6193ED47falsetrue 11241100x80000000000000007561395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.635{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F850962472C4DAB80DA0BCEBD9E4A8,SHA256=E0E4CF7D1CA12725AB63300DCE8ECADDEB5273B96FEC688A8189E671852F6CC6falsetrue 354300x80000000000000002132953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:16.003{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62444-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:26.861{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D532AA00E667A749D594AEA9053D2C5,SHA256=2891E35B062FE3B9316B8938A784E84F36CE76C7B05DA05CCA584C1503B45B8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:26.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:26.699{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D40A251BA087189734A5EADC71E9336,SHA256=C694D2987594CE68022286C980DB06D5F9BD3D4A4530E62379FC020AD2F45320falsetrue 23542300x80000000000000002132956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:27.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA24125B12E9DDE574E864C86437DA3,SHA256=6A9E57774B174930C76C881D6E095676CF021B2EAE747805EF3B6703374FF483,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:27.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:27.813{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200B3B3B680D13D06A887C3F993DA2AB,SHA256=08F6338D446EC695F78BF6C4926D832144B140266BB504A807808A8EBE1449B0falsetrue 10341000x80000000000000007561410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:27.635{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-40A0-613A-90FA-00000000F001}6120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007561419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BD5056B8565FC62011833B9B32EF05,SHA256=0F64A0F92AFF5183BD0BB564146517BE60B01F89E51F9F1A86293C3655F986BBfalsetrue 10341000x80000000000000002132960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:28.926{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:28.926{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:28.926{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:28.879{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87080C10FC0AEA5AA9D848DB49E3342,SHA256=19A2A2203B5FB2E662B435A718CBFD98ABFFD41E99E5D0F579788D562677A034,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:09.928{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56992-false10.0.1.12-8000- 11241100x80000000000000007561416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14FCB7756313AA8D5225840B4809C10D,SHA256=788B4F89DD3C78EAFDF62C3CC98108B691B83C346A841280D4118EE5E62B5C87falsetrue 11241100x80000000000000007561414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:28.082{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=170F75C99AE8E1B84F83B275D8A455C3,SHA256=A391D0CA75B70830C742B8A50C05A954542E31E054659D8C12E012D4E8D69487falsetrue 11241100x80000000000000007561428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.879{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9680C4F535C4333A139DCC7603E8CEE9,SHA256=B22B0A59C8B9AE40EDB6D15F85365CCCF55A0C5E02D29724185894386A0E1AF9falsetrue 23542300x80000000000000002132963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:29.881{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BEEC6D4374DB09710D227F408B6B81,SHA256=7BDA40E8DAEA6A66150C458D7FEEBF70ACF0BC1B926807EF326B5A20D2515B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007561426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.495{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007561425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.364{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ACFDDBF7643ADA742AC8FC77AF7F72E,SHA256=B47F2235DE51C91841F159A3AE886C530155A60B98B701AD1361639A3DB7588Dfalsetrue 11241100x80000000000000007561423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=249641EE17504FCAEB5728D24F2EFA1A,SHA256=172792CCB2A3682DFD6CEEE0ADF3C75112E5FAAB9F3FB7E3F8875DF17DE151EBfalsetrue 11241100x80000000000000007561421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD81DE0E2B047E7E4CD35B3C86E85CA6,SHA256=B3D38D8AD34FD779C80D7188E1FAB4490FAF20286981BF64556308A8094EE905falsetrue 23542300x80000000000000002132962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:29.280{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B73A751C953BE25EC97FCBEFC467FE5,SHA256=FD84FEE0D93A15975F10A961AED5A11E5F51A76D41AC94382539E1DD503DEECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:29.280{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0996A250AEF5924DAA8247BC40E7D82E,SHA256=A52964211E9C26F70F5FE3B4D6346CD56E1F94525FB1D9EDCAF843A5D96C6C45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:30.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:30.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D99E7C7CFF8FEE7A0D7505EAD97CA2D,SHA256=E22A28430143949089532F0E611C8F1F65E08651ECF2D953729D07726B42F9F5falsetrue 23542300x80000000000000002132965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:30.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0B7161955773421992C58C7DEC317C,SHA256=1F54684F1036E975B86E2D76CBA64324A314A1EECF9D9CD5E17C1DD8370DC3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:21.026{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62445-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000007561433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:31.926{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:31.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A4BD615BB0C11AAC0B73D7929090DD,SHA256=BF2AA18545451E3333FF7F5212269DBF214311633C995A92EB14C47C9A87E91Efalsetrue 23542300x80000000000000002132967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:31.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB6A6943A2745B641E0A8FBCEDC3A16,SHA256=D15E58A86CA11777439AEBF23C4084941FA681C578E5FCCE63DE3AD0BD0DE720,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007561431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:31.193{4DF467A6-3F47-6132-0D00-00000000F001}8966224C:\Windows\system32\svchost.exe{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002132966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:31.199{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3A098E3FA29750C7CB4DDCCC27A73C31,SHA256=908C3FF0EE5FC86FE493BD71EBCB1CC842FC9EC472B36848DB77F59D644A7525,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:32.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:32.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C3B73ED6E69F82AC2A42608E389DC,SHA256=16E7EFBF2E1BCCAA4225FF84390A5EBA9AD2D7F2BFD6F9D7707AA0BF8D17A942falsetrue 23542300x80000000000000002132968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:32.902{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E9D746746E9BF2169752452902562D,SHA256=5C9EBDA8D4988FDB42E07A3F7E8DB21A36F7CF4F7464F2C96E7DF1E8518B8DA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D253D934AAA6CC1BBFB55124FF2DC690,SHA256=985946D475516AF25E1AE3D57A6CFB46DD91CE647BD04A58AA5A6247CB9C034Afalsetrue 23542300x80000000000000002132969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:33.903{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D77352CB3AFB4D402C8FFCCEE3C211,SHA256=3D9AF91C3A5CBDD6D85F03F15001C0416B4F2598F9FF9AA2F9A3A5AB32EA3CD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:15.104{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56993-false10.0.1.12-8000- 11241100x80000000000000007561439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88C4DAB1C94536F05FF67D5ECA97A1AA,SHA256=602B476032DAD771FCF525C16E4E1D7EC0E04A490C35715C5FF2CCE4350CC178falsetrue 11241100x80000000000000007561437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:33.258{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=117B736D318FFBC94CCDC230B97E5AB7,SHA256=2E232792EC3215033DCD8418CB89C5537768E36EDF214896C82484D7F3D34A19falsetrue 23542300x80000000000000002132970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:34.905{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6307669BD9A42B840309C1738D11ABF6,SHA256=9CC7ADBEA329E777E7B51AA113C37C26BD53C479DC19A8FED5447595E694B095,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:34.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:34.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5AE9A05379B2EEA7964F41EEE63029BB,SHA256=33BFD109E80443BA9D4C622AC5294522799457F8E6950678CD36FC0DBF9BB6C8falsetrue 11241100x80000000000000007561444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:34.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:34.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5269D9D2F574597C7918A0E2997A725B,SHA256=FC56140DC05D637453E85A1DFFBD20A83C64087699B77837C4571E22E93A42D2falsetrue 23542300x80000000000000002132973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:35.958{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFC049A18DEBDE25064C0FC1D4BFEA6,SHA256=868F7A2DA04235A8DCFFCB40974A81572D10322AB83A237E9863CC43DA9A709A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:35.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9A332DDD638E7C486A470750196CD5,SHA256=C76EBC7B97CB57598341EF451CD412B56E175C982E8D8781DB1D09CABA9A5D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:35.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B73A751C953BE25EC97FCBEFC467FE5,SHA256=FD84FEE0D93A15975F10A961AED5A11E5F51A76D41AC94382539E1DD503DEECC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:35.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:35.002{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F013C0A885114034F8714E30CBBAB8,SHA256=3A0728541E574813288A908F1F55B2BE73C798990FFDE54092F36DC88731432Bfalsetrue 23542300x80000000000000002132975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:36.978{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFCE02E4F4A3CF7F2FD77EE325C3803,SHA256=15918407AA15D55914383C307252C5E3D192DC2CA23645152973A6614847E20B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002132974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:26.938{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62446-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000007561451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:36.516{4DF467A6-9253-613B-A422-01000000F001}676C:\Windows\System32\wbem\WmiPrvSE.exe 11241100x80000000000000007561450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:36.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:36.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C80A0F5B5FFB060A9B3C37DED29B6,SHA256=C427A6ED3AA94E031249F4F44A400F6FAC266BEA7EC243973C3F53026C8652CEfalsetrue 18141800x80000000000000007561456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:37.682{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000007561455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:37.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:37.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6988B05B223EC3DA6F7E98CF68683DB5,SHA256=A64F3253F8F5BDF0484CF93015AE631ABCDAAC2841577635ABFB7BC61A587F34falsetrue 11241100x80000000000000007561453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:37.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:37.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5537CA255F8D1C83F1F85B6CA215A41D,SHA256=B6176CB7008D9DC27872A49A16B681AD21947541FEB789A1D46CE68BB54B5511falsetrue 11241100x80000000000000007561463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D7D81F1984D0C927490781D49D96AE1,SHA256=B1AF4F48C5F293447B92C8F1F53B29BE8ECC6C6CF2F3A046D3EA1A4FC401C118falsetrue 23542300x80000000000000007561461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.314{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-9932MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000007561460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.313{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-99322021-09-10 17:15:38.313 11241100x80000000000000007561459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.312{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-99332021-09-10 17:15:38.312 11241100x80000000000000007561458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:38.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3B03BC1C6F7A5B55A188EB9303A1FD,SHA256=39EF032035341B842FAFB0F71B22413B7F7BD07FB95260BB8CFEF20C2862733Afalsetrue 23542300x80000000000000002132976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:38.012{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ED48DECB7D046CA291ABBFDE6D78C7,SHA256=708847039D355ECAD67EB227157FC55DAAFF1FA5A4791872002A22BDDC4E3D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:39.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D4AE4F1D661CF18D9A1C341CCE6430,SHA256=7256A6057AA580EA3AA0892F59EDF78C3C54B92E2D914A06EE09710302B65A9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52020BEB2FB63E1E90DEB117C5C1A42B,SHA256=0A4EF539E80BD011381D985F37B96723C25A7CC6639A299B2EA144956C2FCFA0falsetrue 11241100x80000000000000007561470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC6B2BD35EEE074164EB8FA11AEFBB78,SHA256=C2AAC73D6DBF93DE4514937DEF3DFF86BF51BB8CCFA8CDDD20C5389B2DE05C25falsetrue 23542300x80000000000000007561468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.313{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-9933MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000007561467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.095{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBFB5F8B77BC0FB360785990AD76BA79,SHA256=0F80F7F375BE1C6B021E49034C9BF26D2E0B9A1677F991736B328516066D734Cfalsetrue 11241100x80000000000000007561465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:39.064{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E75E0ED2F600D5C25FBD15DC82B166C,SHA256=D54C3B7E9C7A2832ED95819CF129515B6B5BA5301420D043A35CB772537CFC21falsetrue 23542300x80000000000000002132978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:40.046{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1593913A87EA12AF6FC975AFAF4CFF08,SHA256=43A40174D79C2997398E106608447F92F4E0B201CC760F4A8BF44D758BE37AC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:40.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0760F57E9906D994F83270CB3CD589B3,SHA256=8AEC3B54954E509DC5C71C137C1904DB855F60DD9D4939695D479461813A8E49falsetrue 354300x80000000000000007561473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:20.941{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56994-false10.0.1.12-8000- 11241100x80000000000000007561477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:41.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:41.177{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A894321CFF2E5BF57DB831B8BE005D,SHA256=9A2C0A7D06C57604A4081600D048F9E5492C87848D1E991DBAE2614C5867BCEDfalsetrue 354300x80000000000000002132982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:32.831{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62447-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:41.067{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90DD6953349CD5CCBAF4DEE92E1369E,SHA256=E9AC0A6822D9D86EAC462A7163A957C6ADF07A04D4A2850F80962E1CD83E97FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:41.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9A332DDD638E7C486A470750196CD5,SHA256=C76EBC7B97CB57598341EF451CD412B56E175C982E8D8781DB1D09CABA9A5D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:41.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A746EF91E5D6BE67E743D87C1F1A4F00,SHA256=22AFF1728D06EF013F6190AD773F38E83464E43D3677C118ADAE850CDF899823,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000007561493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:42.927{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007561492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-10 17:15:42.927{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000007561491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.212{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.212{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCED4CD072622EB0B390D709AFD79A98,SHA256=18E1EE819C168473D249B05DD1A9B880C4FB0193BF5E647B21784F42E4011CF2falsetrue 23542300x80000000000000002132983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:42.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0616CDF37B72BDC61BD3C20E965DBEB,SHA256=32046745A1438DF80A8FBECE28BA18DD25207DBD37E6019A9B79856A3E476CBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=3DD0430A834FF489775743F3E40A8220,SHA256=FDF0D78F844E99283B750748A561AABB99B2B2EB58A9B1F6D7A45CA8DE762C31falsetrue 11241100x80000000000000007561487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=6527448EC259A9AAC472502274FB304F,SHA256=371D3F63FC913D9079FB6C71841C78DDC87E7535107C4FF5D3F51862FE1D8973falsetrue 11241100x80000000000000007561485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=73423BE07866989DBF0CCA58080555CE,SHA256=785043981430C4194749C4CC58D7467EE09FE18D639A2A99A6823AC3E17A5385falsetrue 11241100x80000000000000007561483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=249A335E2C556033050A739B59A43224,SHA256=C04397E8013DF2FD49DBC46C2979C320F0A888F9ED9A73367A6E2B021F0A1E8Bfalsetrue 11241100x80000000000000007561481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=ABAB130012BE6D00559CB3BEECB85732,SHA256=1662A20D24487572B9742FF75635AA8D4815EF3C93C69462FBB359392909ED2Ffalsetrue 11241100x80000000000000007561479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.bin2021-09-03 20:44:01.067 23542300x80000000000000007561478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:42.044{4DF467A6-4079-613A-86FA-00000000F001}5896ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dueu30lv.default-release\datareporting\glean\db\data.safe.binMD5=DBEB2A380DDCE510924D6609E518B47A,SHA256=FDC5A0D42DEBC1660BDDD9A75C3936A21FBB6CED87F9B0669C4156EB1000F7F7falsetrue 11241100x80000000000000007561551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=811095B94855CB2E112ED1A226FA7B79,SHA256=DC8B28DA868D27A81ED50C5BDE8B4FC51588069170A229E0EA3EDC52BCD5B8A2falsetrue 734700x80000000000000007561549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007561545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007561543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007561528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.926{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000007561512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007561511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000007561506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.910{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.905{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:43.904{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6CB89D161E1D2AE5852182207F5A7D71,SHA256=D76A782FB401107F829D8D5070167D26C8621C3DCF817FA337AC21490F1736C7falsetrue 11241100x80000000000000007561495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:43.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A5FB4190F9863167DB63A410EF4D62,SHA256=3F6A5BAA0296A5A993E2C98EF869CD6D6EE475372F49C17F69B0E3D59FBB67E3falsetrue 23542300x80000000000000002132984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:43.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A13723F0429AFE66566A4232552526,SHA256=6F6A4C37CF377EBC16451258071B013489A8A64977B1296A9D8B112E89788ACC,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007561619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.725{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.725{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007561617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.725{4DF467A6-92C0-613B-AE22-01000000F001}37887208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.725{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.725{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007561614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.605{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.604{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.604{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:44.603{4DF467A6-92C0-613B-AE22-01000000F001}3788\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.603{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007561593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007561577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007561572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.587{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.573{4DF467A6-92C0-613B-AE22-01000000F001}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:44.572{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=739A9988AB8646D3D2D951D00C3B05D2,SHA256=F48D1B4CB87BCC1780EEBF2D626854A263A6677805F7DA4D73DB45AA6EBF097Ffalsetrue 11241100x80000000000000007561561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE777CC8F404D0292E067382CD29A1E9,SHA256=6272D862223D88C858C909F7597568F2FDFAAB84D1F98C6F2CDEC2378F8C7376falsetrue 11241100x80000000000000007561559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C970DBEA8B788F5C4560877502A45,SHA256=E8EE40E408478F60CB60DBD411AFDF534A941B616EB5B777A5204E95A4C0F3FEfalsetrue 23542300x80000000000000002132985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:44.091{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1825928ACD7191C4BC16F9518B1FFD,SHA256=588C99F911ED7F7D0C0EDAE18D64FC21D232BF72917410243862AD2BBB466655,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.787{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56995-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000007561556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.787{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56995-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 534500x80000000000000007561555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.057{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000007561554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.057{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007561553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.057{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:44.057{4DF467A6-92BF-613B-AD22-01000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007561734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007561730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000007561728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.985{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007561723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007561708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007561696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000007561691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.969{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.955{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.954{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C890331D3263D747021870228CC1B66,SHA256=2BB9C86E71A31886631A52C48809B32AAE5DB575C4CF71674E0F7F31D80CBEC6falsetrue 11241100x80000000000000007561680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.539{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F201FA7F95C57DAEFDAC10177E712C,SHA256=CC9D9A3EF37B896AAF69D290DC5D534810AFE44CDAA4C3C9F3DCF48F0807A14Dfalsetrue 534500x80000000000000007561678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.408{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.408{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007561676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.408{4DF467A6-92C1-613B-AF22-01000000F001}55481368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.408{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.408{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000002132986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:45.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7E30DADBFAC0F7658744576DB4FA37,SHA256=4935754C3E15BCE1C236AC90FD7583433D93087FABCCF9215AE69D29E1C9D423,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007561673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.286{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.286{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.286{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.286{4DF467A6-92C1-613B-AF22-01000000F001}5548\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.286{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000007561667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007561653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007561636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000007561631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.271{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.256{4DF467A6-92C1-613B-AF22-01000000F001}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:45.255{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000007561622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:25.965{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56996-false10.0.1.12-8000- 11241100x80000000000000007561621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.071{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:45.071{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8289C39AD7790651074CDFE384EFBB82,SHA256=2A96C5596BC40AF8A058FAEC205579B528E7D31BDF6096C6F778A6789CD6F655falsetrue 11241100x80000000000000007561801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.884{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000007561800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.884{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 534500x80000000000000007561799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.800{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.799{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000007561797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.784{4DF467A6-92C2-613B-B122-01000000F001}78001388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.784{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.784{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007561794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.684{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B075554BD5760F4CD1A8A4B6AE5A0D70,SHA256=6A8F55C7117D97ECA4A4F27884871DE9A2B4F803B2105E6DFC3032CF39760178falsetrue 734700x80000000000000007561792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.668{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.668{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.668{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:46.668{4DF467A6-92C2-613B-B122-01000000F001}7800\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.668{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000007561786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007561771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007561755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000007561754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000007561749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.653{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.638{4DF467A6-92C2-613B-B122-01000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:46.637{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000002132990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:37.993{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62448-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:46.379{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6024B2CCDC7EB4FACCBA7EB1527A1D41,SHA256=DEF7312FDF98597DD9A843EB993E9888C80CFCADE15DC6B646FEA3CEF934A1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:46.378{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C90DD6953349CD5CCBAF4DEE92E1369E,SHA256=E9AC0A6822D9D86EAC462A7163A957C6ADF07A04D4A2850F80962E1CD83E97FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:46.141{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85500FB65D6AEC24BD0915414952050A,SHA256=53F322D37A31C84DC55E24E4CA609E01410C75D0796C9C6E632CF5AC880A43A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.285{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E03C2DE776D67A41796EADDA5035F9DE,SHA256=CE629E7D0B2207A4B637753EEE55F122E7DAA27AD5D3AE2CFA0121120277A8A5falsetrue 534500x80000000000000007561738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.107{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000007561737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.107{4DF467A6-92C1-613B-B022-01000000F001}45367864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.107{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:46.107{4DF467A6-92C1-613B-B022-01000000F001}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007561919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.882{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000007561903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007561889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007561885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007561881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000007561876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.866{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.853{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007561873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 18141800x80000000000000007561872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000007561868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE014FF1C7D55A91FE4F217CB5EB464,SHA256=6E4211AB5818764DA9BF4BFF2FD787690A16360C42A72FE5A854DC95B49461AEfalsetrue 18141800x80000000000000007561867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.851{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000007561865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CFDDFD140E5DD1CFF54530F9F86C9C,SHA256=93A9874E8CB699BD3B4E62D83FFB50882F1759D800A6F051FB6F5C50A7875953falsetrue 11241100x80000000000000007561863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2987B9F35F20D40D0BFFC196F8280EBB,SHA256=1D4B0EDFACA7FC56DE3397C44746FFC08AC457AAB0E98E3250C857BA360BEB80falsetrue 23542300x80000000000000002132991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:47.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC705B9D78AD6A89E75723C32B3EF783,SHA256=DAA1B58757E469E0D09B9BEA7F88AFEFA9E00C64616EF040FB7591006839A55E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000007561861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.483{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007561860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.483{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007561859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.483{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.483{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000007561857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007561856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007561855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000007561854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007561853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000007561852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000007561851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007561850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.367{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000007561849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000007561848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000007561847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000007561846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000007561845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000007561844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000007561843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000007561842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000007561841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000007561840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000007561839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000007561838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000007561837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000007561836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000007561835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000007561834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007561833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000007561832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000007561831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007561830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007561829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000007561828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000007561827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000007561826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007561825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007561824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000007561823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007561822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007561821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007561820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000007561819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000007561818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000007561817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000007561816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000007561815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007561814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000007561813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000007561812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000007561811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000007561810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007561809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.351{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:47.337{4DF467A6-92C3-613B-B222-01000000F001}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000007561807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000007561803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000007561802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-10 17:15:47.336{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000002132992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:48.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56BAB7F649978EDDE4603CC924FB6C5,SHA256=BB560564E42ACC53905DC12676C63D51576947B5D22C682CF1DDBDCE1BDD0F4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02441698701E8C21C0007BB2FBDF6E89,SHA256=89C32969C81EE518376CD3D3EAC0D12A0DA0553D2D9CBA1D957A597281A9180Afalsetrue 534500x80000000000000007561923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.003{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000007561922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.003{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007561921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.003{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000007561920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:48.003{4DF467A6-92C3-613B-B322-01000000F001}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000007561934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.448{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AEC0776B8D53982595812C3477FB7B5F,SHA256=AC1D7C5A1E8D110A8CA540795A5F2AA7683605E1A618F607F3D9C65890124561falsetrue 11241100x80000000000000007561932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.433{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.433{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EFA8F2798102EF60A0D092CDC0450AF,SHA256=83E65994750877DAB88BE448DEF9D5067741979255904CC58658569F98AB79E9falsetrue 354300x80000000000000007561930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:29.728{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56997-false10.0.1.12-8089- 11241100x80000000000000007561929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277C6A8013D09506A5CDB4E2E044B628,SHA256=0AFD47EE56E14A09F4ACCE7EA1D67FFFF3DC4DD4CFA4B55B0193B31669A1D953falsetrue 11241100x80000000000000007561927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:49.065{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=353C8A68004FEAD2CAA504334DDB9937,SHA256=00A1A54B1277900F61327B737B16D3AC0D55E8B9EEEE739D78E331C0B42C9FCCfalsetrue 23542300x80000000000000002132993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:49.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2D77DBD2413EB662E12C437F2F5F5A,SHA256=F49EC41978963D9C9FF170248E762F06A7B341372FD1892BE3020EC1A023314C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:50.247{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B824F155836A5483C1F7FA1E436B248,SHA256=698383F6D91CBC74DC6A263F4E554D584E05978C27D83EE6C314CD1EAA237B65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:50.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:50.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2544865F68CD2DAA3D53E00FF30BDA5,SHA256=E9DF1DBA5D074E55C6AEB1BF491DD0C55010AFDDE241A4A2184CE72F8E131C2Ffalsetrue 11241100x80000000000000007561936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:50.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:50.097{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8494C380401E676A835FCF907D572E41,SHA256=43C8C8BAFDEC935AB9645DB0CF7E811C25CFCAB8B711A59DABB44FC6C55B2DA4falsetrue 23542300x80000000000000002132995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:51.250{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED798117A6100914E60D51B9F03F266,SHA256=A841F8C09B797EA563FCA31507BA021A434E0D4D553197E440BC2E66605B8B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:31.940{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56998-false10.0.1.12-8000- 11241100x80000000000000007561940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:51.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:51.114{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951894C9D84A939BA4D5E2F1D2703754,SHA256=CF9E5EDBBF5650A31712EC1A7A06EA9F8000246C063B5E2D0825FAADE091E103falsetrue 354300x80000000000000002132999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:44.003{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62449-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002132998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:52.251{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E69C65CBB4D1D3240B6B77397A1E3F,SHA256=EA2CD39242F71E3B71C7D74BC5CD599C831B6705E1CF7D14A22B4231025434E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:52.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:52.128{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076FD3DF6DDBDAF8429F5CFB4BDB66EC,SHA256=6128373976CDC112744C2BABDA6DB59D8D1C1D137D468C56E825E2611F9F13C4falsetrue 23542300x80000000000000002132997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:52.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5391607CCD6F8C723CFC80C18B92A5DB,SHA256=0E120BC88814D2AECA032453318FEEF53285EF718373F4EE9DE9983F0AD14A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002132996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:52.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6024B2CCDC7EB4FACCBA7EB1527A1D41,SHA256=DEF7312FDF98597DD9A843EB993E9888C80CFCADE15DC6B646FEA3CEF934A1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002133000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:53.253{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB061ADD61DC33271CC3BE736659CB9,SHA256=34F48D6EC9056E0E55350B9F7709FFFCD600B088F5BE2EF3DC77AC0695E9EA95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:53.510{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:53.510{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D342DB9CEA69A1F7CC82EF689D28E2B1,SHA256=DD40D520220E43FA8E485F705085068FAEC7CCF441D373ECC51268EEB12F1254falsetrue 11241100x80000000000000007561945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:53.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:53.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFB48A9DD9744B3C15BFE5F6AF74A0C,SHA256=EAE552A7579B18468DF7E01A1E354E8BCBB4F8BDCA5F8824EBB9FF7DF19537D3falsetrue 10341000x80000000000000002133015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.707{AEE49BD1-92CA-613B-CA1B-01000000F101}41082276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.589{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-92CA-613B-CA1B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.588{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.588{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.588{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.588{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.588{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-92CA-613B-CA1B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002133003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.587{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-92CA-613B-CA1B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002133002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.571{AEE49BD1-92CA-613B-CA1B-01000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002133001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:54.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E2883B01CE15312B988C7B2C55EF7E,SHA256=A32CBB715E179ABF9A9C0B6CD41B0B07C6213E5B3B4D3D61EF000E95EA9516F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=495D6F51FCF339324FAC452B5A0FBEE9,SHA256=D5A05ACF25917344023A7145AEFD0033578E946D96022CBF0226DBB5C427CE8Dfalsetrue 11241100x80000000000000007561951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59F88FE000B1B6948ED42898CC9D883F,SHA256=B720E371D113AF2084AD638402C7E87CBD2B96217D1EE882CF535838FEB0FE18falsetrue 11241100x80000000000000007561949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:54.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFBCE70D6623F9B322EB7E0E478F284,SHA256=1D991FBDD800C1F44E3064A506E9477B7B38FEA232D113183F121FD336D235DBfalsetrue 10341000x80000000000000002133043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-92CB-613B-CC1B-01000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-92CB-613B-CC1B-01000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002133032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.956{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-92CB-613B-CC1B-01000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002133031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.941{AEE49BD1-92CB-613B-CC1B-01000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002133030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.590{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5391607CCD6F8C723CFC80C18B92A5DB,SHA256=0E120BC88814D2AECA032453318FEEF53285EF718373F4EE9DE9983F0AD14A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002133029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.355{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D1C0B27553FC63ACBD7AB3FB84478C,SHA256=13A608544AF21182B5EF41C5F79D622B14CADD0C19814C14F2413725EE85D115,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21E175E9958F3E18845B826E63F4341,SHA256=D0457042C4C036C982111194B6FDD7CC66C68B724980A7C85F22B07C5088074Ffalsetrue 10341000x80000000000000002133028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-92CB-613B-CB1B-01000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-415A-6132-0C00-00000000F101}7245560C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-92CB-613B-CB1B-01000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002133017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.271{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-92CB-613B-CB1B-01000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002133016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:55.256{AEE49BD1-92CB-613B-CB1B-01000000F101}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007561957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1552C691248881B0918DE8E615B3771B,SHA256=8E425A2E2C3EA4D2047534F45158AF89077C5C0F7E288898BCD61B3BE6D6128Dfalsetrue 11241100x80000000000000007561955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000007561954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:55.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78017A4BD84D5BE7638A9CFA06A78AB0,SHA256=AA5B1063B68C07A9E75D09D40C638269265089976AE59EBCCA5F01CF051C3290falsetrue 23542300x80000000000000002133074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.940{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24DE5BCDB8E909E54624B8BCCE8AA2D6,SHA256=CE251FCA9512BEEE61DC8E7F72112B88756280E29CA403265763EC0AA7B6F445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002133073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002133045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.925{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002133044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:56.393{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FD39E210963B13F7DC0D2B393B488E,SHA256=60B7F9C760FFFAAEDBBCA6579D1051A8121EECFC0170F1F977BF8C4F5A2515BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007561962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:37.031{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local56999-false10.0.1.12-8000- 11241100x80000000000000007561961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:56.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:56.253{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FC34AE6F3E88A8D89F480F4107E736,SHA256=4D5EDEBCEB0C72D679BD1D2B69A42EE5318096AB4D7E509F83F9561C06F1F2E0falsetrue 23542300x80000000000000002133075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:57.610{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E7DC8C5087DB27BB8E58CBEDB1DCED,SHA256=83F1B814C2CBFE7687BB2087F9B666E001817BB3029DF26E0C0DA0935448B80C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:57.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:57.366{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244B5899A39BEA0357586F0A61C00884,SHA256=7801FC840DAA60D6D158B4E90F0DB9D0DC851CA673F76235D30FABD39711DF69falsetrue 354300x80000000000000002133078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:49.956{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local62450-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000002133077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:58.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FD3DCD054096A6B46646447B9D9357,SHA256=729B30C6FB52643BE591D1332926E966239BA96658BE8744EEDF2AAEC6631FFC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.602{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.602{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A7D9D84AD9F4E0B0B1BCE19F059C63A,SHA256=65E9E44173A34A52A7370DC5F34576BDA9358B8CAA0C9588D8AE13E767F7CCC9falsetrue 11241100x80000000000000007561968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.564{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000007561967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.564{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=479929A5FA4B6AEA13CB8066FA20AB72,SHA256=C42A1F01A38DF9F8A2A1DAAC960593816E4452688F627B8567043F110668E487falsetrue 11241100x80000000000000007561966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.464{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:58.464{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B69C0815CCDCC3A41056FEE51BDC533,SHA256=486395841E7A3165BF67CF677DEBC80E1AE98A6C2FE2267CD538751B828C7375falsetrue 23542300x80000000000000002133076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:58.374{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA20B7285054E5FFBC05B8A7003E5D7D,SHA256=E5E9911C4336404CD734AB9DD8B97F68C83C6A57C2C3D9799255306B39095186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002133079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-10 17:15:59.698{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3B9CEF5A5A10BA13EF0AEDF8F54B94,SHA256=85F0893B807F618F9EEF1B8D66020967AE319E0C641D4CF29BE6700C4593D054,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000007561976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3EEB080ABF293DA1B34282575EE6FCFE,SHA256=ABD1DFC2F040EFE97BBC921E2F98CB91AAD19E9FD98DD2505CB55EA5FE50A647falsetrue 11241100x80000000000000007561974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000007561973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=703E3517A23476025B53654EF08731A7,SHA256=F11B80B2E19265190951E1DF922DBCFFC517875057205C37C59EFCB4A370A6AEfalsetrue 11241100x80000000000000007561972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000007561971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-10 17:15:59.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4F03F9C8E9E39A1E0143A70046006D,SHA256=9676DAC098131A5DC45341AA0A42B01CC6BA3B92C3360E05DA6D8A2D8EBE083Efalsetrue